HI, I set the email notify level to 3, and try to login into serverA through ssh, It's work, I receive the email alert.
Thank you! And I've other question, I want block the user ip when the user login failed more then 3 times with ssh, then block the ip of user, I use 5712, but it did not work, I've try to login failed more then 10, it still do not block me. here is my active-response in ossec.conf <active-response> <disabled>no</disabled> <command>firewall-drop</command> <location>local</location> <rules_id>5712</rules_id> <level>8</level> <timeout>120</timeout> <repeated_offenders>60,120,180</repeated_offenders> </active-response> here is my 5710 and 5712 rule defines <rule id="5710" level="5"> <if_sid>5700</if_sid> <match>illegal user|invalid user</match> <description>sshd: Attempt to login using a non-existent user</description> <group>invalid_login,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_10.6.1,</group> </rule> <rule id="5711" level="0"> <if_sid>5700</if_sid> <match>authentication failure; logname= uid=0 euid=0 tty=ssh|</match> <match>input_userauth_request: invalid user|</match> <match>PAM: User not known to the underlying authentication module for illegal user|</match> <match>error retrieving information about user</match> <description>sshd: Useless/Duplicated SSHD message without a user/ip.</description> </rule> <rule id="5712" level="10" frequency="6" timeframe="120" ignore="60"> <if_matched_sid>5710</if_matched_sid> <description>sshd: brute force trying to get access to </description> <description>the system.</description> <same_source_ip /> <group>authentication_failures,pci_dss_11.4,pci_dss_10.2.4,pci_dss_10.2.5,</group> </rule> On Thursday, June 29, 2017 at 2:19:23 AM UTC+8, migue...@wazuh.com wrote: > > Hi, > > The email notification is triggered when an alert reach or overpass the > level defined in <email_alert_level> (by default is set to level 7), > setting this option to level 3 will send you email notifications for > successful logins attempts. > > *<email_alert_level> option reference:* > http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.alerts.html#element-email_alert_level > *Rules clasification:* > http://ossec-docs.readthedocs.io/en/latest/manual/rules-decoders/rule-levels.html. > > I hope this could help you > > Best regards. > > On Wednesday, June 28, 2017 at 2:03:23 PM UTC-4, az...@51ecommerce.com > wrote: >> >> hello, >> I've setup the ossec server and agent in my serverS(server) and >> serverA(agent), but when I login into serverA, I have not receive the email >> alert, but if I change something in serverA, I can receive the email alert. >> So, my question is: how to make a email alert when some one login into >> system, like ssh, or ftp >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.