HI,
I set the email notify level to 3, and try to login into serverA through
ssh, It's work, I receive the email alert.
Thank you!
And I've other question, I want block the user ip when the user login
failed more then 3 times with ssh, then block the ip of user, I use 5712,
but it did not work, I've try to login failed more then 10, it still do not
block me.
here is my active-response in ossec.conf
<active-response>
<disabled>no</disabled>
<command>firewall-drop</command>
<location>local</location>
<rules_id>5712</rules_id>
<level>8</level>
<timeout>120</timeout>
<repeated_offenders>60,120,180</repeated_offenders>
</active-response>
here is my 5710 and 5712 rule defines
<rule id="5710" level="5">
<if_sid>5700</if_sid>
<match>illegal user|invalid user</match>
<description>sshd: Attempt to login using a non-existent
user</description>
<group>invalid_login,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_10.6.1,</group>
</rule>
<rule id="5711" level="0">
<if_sid>5700</if_sid>
<match>authentication failure; logname= uid=0 euid=0 tty=ssh|</match>
<match>input_userauth_request: invalid user|</match>
<match>PAM: User not known to the underlying authentication module for
illegal user|</match>
<match>error retrieving information about user</match>
<description>sshd: Useless/Duplicated SSHD message without a
user/ip.</description>
</rule>
<rule id="5712" level="10" frequency="6" timeframe="120" ignore="60">
<if_matched_sid>5710</if_matched_sid>
<description>sshd: brute force trying to get access to </description>
<description>the system.</description>
<same_source_ip />
<group>authentication_failures,pci_dss_11.4,pci_dss_10.2.4,pci_dss_10.2.5,</group>
</rule>
On Thursday, June 29, 2017 at 2:19:23 AM UTC+8, migue...@wazuh.com wrote:
>
> Hi,
>
> The email notification is triggered when an alert reach or overpass the
> level defined in <email_alert_level> (by default is set to level 7),
> setting this option to level 3 will send you email notifications for
> successful logins attempts.
>
> *<email_alert_level> option reference:*
> http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.alerts.html#element-email_alert_level
> *Rules clasification:*
> http://ossec-docs.readthedocs.io/en/latest/manual/rules-decoders/rule-levels.html.
>
> I hope this could help you
>
> Best regards.
>
> On Wednesday, June 28, 2017 at 2:03:23 PM UTC-4, az...@51ecommerce.com
> wrote:
>>
>> hello,
>> I've setup the ossec server and agent in my serverS(server) and
>> serverA(agent), but when I login into serverA, I have not receive the email
>> alert, but if I change something in serverA, I can receive the email alert.
>> So, my question is: how to make a email alert when some one login into
>> system, like ssh, or ftp
>>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
