First, sorry for my bad english. I'm a newbie and i have used Ossec for about 2 weeks. Last week, active response still worked well. But after 2,3 days. I checked the /var/logs/auth.log and found that there was a ssh brute force attack from an IP to my server. But then i check active-response log and found that this IP doesn't got block by firewall-drop.
Here is the active-response config from ossec.conf: <active-response> <location>all</location> <rules_id>5712</rules_id> <timeout>600</timeout> <repeated_offenders>10,20,30</repeated_offenders> </active-response> The rule 5712 remain the same as default in sshh_rules.xml Here is the auth.log: Jul 3 08:01:51 ubuntu-server sshd[17502]: Received disconnect from 114.113.127.178: 11: Bye Bye [preauth] Jul 3 08:01:54 ubuntu-server sshd[17504]: Received disconnect from 114.113.127.178: 11: Bye Bye [preauth] Jul 3 08:01:57 ubuntu-server sshd[17506]: Received disconnect from 114.113.127.178: 11: Bye Bye [preauth] Jul 3 08:02:00 ubuntu-server sshd[17508]: Received disconnect from 114.113.127.178: 11: Bye Bye [preauth] Jul 3 08:02:02 ubuntu-server sshd[17510]: Received disconnect from 114.113.127.178: 11: Bye Bye [preauth] Jul 3 08:02:04 ubuntu-server sshd[17512]: Received disconnect from 114.113.127.178: 11: Bye Bye [preauth] Jul 3 08:02:07 ubuntu-server sshd[17514]: Received disconnect from 114.113.127.178: 11: Bye Bye [preauth] Jul 3 08:02:10 ubuntu-server sshd[17516]: Received disconnect from 114.113.127.178: 11: Bye Bye [preauth] Jul 3 08:02:13 ubuntu-server sshd[17518]: Received disconnect from 114.113.127.178: 11: Bye Bye [preauth] Jul 3 08:02:16 ubuntu-server sshd[17520]: Received disconnect from 114.113.127.178: 11: Bye Bye [preauth] Jul 3 08:02:18 ubuntu-server sshd[17522]: Received disconnect from 114.113.127.178: 11: Bye Bye [preauth] There is about a hundred of these logs all from the same IP, but this IP hasn't been blocked. Active-respones log show nothing about blocking this IP Is there anything happened to the active-response or the ossec? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.