Remember that you need to restart OSSEC after changing the rules. Also, you can use *ossec-logest* to test your rules. Regards.
On Thursday, June 29, 2017 at 11:25:17 AM UTC+2, Rahul Tiwari wrote: > > I tired this but its not working any other rule or something which i need > to add. > As i m new in OSSEC Please help me out > > On Wednesday, June 28, 2017 at 10:40:20 PM UTC+5:30, Jesus Linares wrote: >> >> Hi, >> >> the *frequency *attribute specifies the number of times (+2) the rule >> must have matched before firing. In this case, the rule 5720 will be fired >> if the rule 5716 is fired 8 times (6+2). >> >> You must use *frequency="1"* to fire the rule after 3 attempts. Also, it >> is a good idea to add the *timeframe *attribute. >> >> I hope it helps. >> Regards. >> >> On Wednesday, June 28, 2017 at 10:09:56 AM UTC+2, Rahul Tiwari wrote: >>> >>> I need to block the user ip after 3 times login failed attempt in ossec >>> I tried below in sshd_rules file >>> >>> <rule id="5720" level="10" frequency="6"> >>> <if_matched_sid>5716</if_matched_sid> >>> <same_source_ip /> >>> <description>Multiple SSHD authentication failures.</description> >>> <group>authentication_failures,</group> >>> </rule> >>> >>> But its blocking the user ip after 10 attempt please help me out >>> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.