Re: [ossec-list] OSSEC Active Response Block on pattern-matched SSH user logins

2017-06-30 Thread dan (ddp) 
On Thu, Jun 29, 2017 at 4:08 AM, Rahul Tiwari  wrote:
>
>
> 0down votefavorite
>
> I need to block the user ip after 3 times login failed attempt in ossec I 
> tried below in sshd_rules file
>
> 
> 5716
> 
> Multiple SSHD authentication failures.
> authentication_failures,
>   
>
> But its blocking the user ip after 10 attempt please help me out
>

There are 2 other threads asking this same question. Perhaps one of
those will provide you with more information?

>
>
>
> On Friday, June 16, 2017 at 1:16:39 AM UTC+5:30, dan (ddpbsd) wrote:
>>
>> On Thu, Jun 15, 2017 at 6:39 AM, Rahul Tiwari  wrote:
>> > Can you please provide the rule i am also having the same issue i need to
>> > block the user after failed attempts.
>> > Please help
>> >
>>
>> What is stopping you from creating a rule?
>> Do you have log samples to help us help you?
>>
>> > On Thursday, April 29, 2010 at 3:41:48 AM UTC+5:30, JL wrote:
>> >>
>> >> Hi all,
>> >>
>> >> Forgive me if this has been covered somewhere, but I haven't come
>> >> across it.
>> >>
>> >>
>> >> Is there a way to have OSSEC Active Response block a particular user
>> >> from logging in? I don't care about thresholds or # of attempts. If I
>> >> see, 'root' for instance, attempting to logon to a server at all, can
>> >> OSSEC match on that and drop that username and source IP immediately?
>> >>
>> >>
>> >> Additionally, one question on timeouts. Is the  flag in
>> >> seconds or in minutes? If so, I tried setting "1"
>> >> but it took 54 seconds to delete from the firewall-drop.sh script. If
>> >> it is in fact in minutes, how would I set it up to unblock in seconds?
>> >> Otherwise, if the flag should be seconds, is there a reason why it
>> >> would take 54 seconds to respond when I set the timeout to 1 second. I
>> >> know this doesn't make much sense (in terms of setting to 1 second)
>> >> but I tested with 5 and even 30 seconds and it still took a minute to
>> >> unblock.
>> >>
>> >> Thanks in advance!
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send an
>> > email to ossec-list+...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC Active Response Block on pattern-matched SSH user logins

2017-06-29 Thread Rahul Tiwari 


0down votefavorite 


I need to block the user ip after 3 times login failed attempt in ossec I 
tried below in sshd_rules file


5716

Multiple SSHD authentication failures.
authentication_failures,
  

But its blocking the user ip after 10 attempt please help me out



On Friday, June 16, 2017 at 1:16:39 AM UTC+5:30, dan (ddpbsd) wrote:
>
> On Thu, Jun 15, 2017 at 6:39 AM, Rahul Tiwari  > wrote: 
> > Can you please provide the rule i am also having the same issue i need 
> to 
> > block the user after failed attempts. 
> > Please help 
> > 
>
> What is stopping you from creating a rule? 
> Do you have log samples to help us help you? 
>
> > On Thursday, April 29, 2010 at 3:41:48 AM UTC+5:30, JL wrote: 
> >> 
> >> Hi all, 
> >> 
> >> Forgive me if this has been covered somewhere, but I haven't come 
> >> across it. 
> >> 
> >> 
> >> Is there a way to have OSSEC Active Response block a particular user 
> >> from logging in? I don't care about thresholds or # of attempts. If I 
> >> see, 'root' for instance, attempting to logon to a server at all, can 
> >> OSSEC match on that and drop that username and source IP immediately? 
> >> 
> >> 
> >> Additionally, one question on timeouts. Is the  flag in 
> >> seconds or in minutes? If so, I tried setting "1" 
> >> but it took 54 seconds to delete from the firewall-drop.sh script. If 
> >> it is in fact in minutes, how would I set it up to unblock in seconds? 
> >> Otherwise, if the flag should be seconds, is there a reason why it 
> >> would take 54 seconds to respond when I set the timeout to 1 second. I 
> >> know this doesn't make much sense (in terms of setting to 1 second) 
> >> but I tested with 5 and even 30 seconds and it still took a minute to 
> >> unblock. 
> >> 
> >> Thanks in advance! 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC Active Response Block on pattern-matched SSH user logins

2017-06-15 Thread dan (ddp) 
On Thu, Jun 15, 2017 at 6:39 AM, Rahul Tiwari  wrote:
> Can you please provide the rule i am also having the same issue i need to
> block the user after failed attempts.
> Please help
>

What is stopping you from creating a rule?
Do you have log samples to help us help you?

> On Thursday, April 29, 2010 at 3:41:48 AM UTC+5:30, JL wrote:
>>
>> Hi all,
>>
>> Forgive me if this has been covered somewhere, but I haven't come
>> across it.
>>
>>
>> Is there a way to have OSSEC Active Response block a particular user
>> from logging in? I don't care about thresholds or # of attempts. If I
>> see, 'root' for instance, attempting to logon to a server at all, can
>> OSSEC match on that and drop that username and source IP immediately?
>>
>>
>> Additionally, one question on timeouts. Is the  flag in
>> seconds or in minutes? If so, I tried setting "1"
>> but it took 54 seconds to delete from the firewall-drop.sh script. If
>> it is in fact in minutes, how would I set it up to unblock in seconds?
>> Otherwise, if the flag should be seconds, is there a reason why it
>> would take 54 seconds to respond when I set the timeout to 1 second. I
>> know this doesn't make much sense (in terms of setting to 1 second)
>> but I tested with 5 and even 30 seconds and it still took a minute to
>> unblock.
>>
>> Thanks in advance!
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC Active Response Block on pattern-matched SSH user logins

2017-06-15 Thread Rahul Tiwari 
Can you please provide the rule i am also having the same issue i need to 
block the user after failed attempts.
Please help

On Thursday, April 29, 2010 at 3:41:48 AM UTC+5:30, JL wrote:
>
> Hi all, 
>
> Forgive me if this has been covered somewhere, but I haven't come 
> across it. 
>
>
> Is there a way to have OSSEC Active Response block a particular user 
> from logging in? I don't care about thresholds or # of attempts. If I 
> see, 'root' for instance, attempting to logon to a server at all, can 
> OSSEC match on that and drop that username and source IP immediately? 
>
>
> Additionally, one question on timeouts. Is the  flag in 
> seconds or in minutes? If so, I tried setting "1" 
> but it took 54 seconds to delete from the firewall-drop.sh script. If 
> it is in fact in minutes, how would I set it up to unblock in seconds? 
> Otherwise, if the flag should be seconds, is there a reason why it 
> would take 54 seconds to respond when I set the timeout to 1 second. I 
> know this doesn't make much sense (in terms of setting to 1 second) 
> but I tested with 5 and even 30 seconds and it still took a minute to 
> unblock. 
>
> Thanks in advance! 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC Active Response Block on pattern-matched SSH user logins

2010-04-29 Thread Andre Pawlowski 


On 04/29/2010 12:11 AM, jplee3 wrote:
 Hi all,
 
 Forgive me if this has been covered somewhere, but I haven't come
 across it.
 
 
 Is there a way to have OSSEC Active Response block a particular user
 from logging in? I don't care about thresholds or # of attempts. If I
 see, 'root' for instance, attempting to logon to a server at all, can
 OSSEC match on that and drop that username and source IP immediately?
 
 

Yes there is a way. You have to write your own rule for that. Than OSSEC
will block the user immidiately.

Here is an example for a decoder and a rule. The decoder for ssh exists
so the rule is enough.

http://www.madirish.net/?article=434

Regards

Andre Pawlowski

---

Wenn eine Idee nicht zuerst absurd erscheint, taugt sie nichts.
-Albert Einstein

Re: [ossec-list] OSSEC Active Response Block on pattern-matched SSH user logins

2010-04-29 Thread Jeremy Lee 
Thanks, I created a new rule in sshd_rules to trip whenever it sees a
Failed password from root message. And it works. The issue is with the way
the blocking is occurring. I can have the firewall-drop.sh script fire
whenever the rule trips, but it will drop the IP completely. I don't want
this to happen. I guess this would go outside of the bounds of OSSEC, but is
there a way to block by user per IP? Sorry if I missed something...

On Wed, Apr 28, 2010 at 10:52 PM, Andre Pawlowski sq...@h4des.org wrote:



 On 04/29/2010 12:11 AM, jplee3 wrote:
  Hi all,
 
  Forgive me if this has been covered somewhere, but I haven't come
  across it.
 
 
  Is there a way to have OSSEC Active Response block a particular user
  from logging in? I don't care about thresholds or # of attempts. If I
  see, 'root' for instance, attempting to logon to a server at all, can
  OSSEC match on that and drop that username and source IP immediately?
 
 

 Yes there is a way. You have to write your own rule for that. Than OSSEC
 will block the user immidiately.

 Here is an example for a decoder and a rule. The decoder for ssh exists
 so the rule is enough.

 http://www.madirish.net/?article=434

 Regards

 Andre Pawlowski

 ---

 Wenn eine Idee nicht zuerst absurd erscheint, taugt sie nichts.
-Albert Einstein

Re: [ossec-list] OSSEC Active Response Block on pattern-matched SSH user logins

2010-04-29 Thread Andre Pawlowski 
Hi,

first you should write the rule in the local_rules. This file will never
be touched when you upgrade OSSEC.

And if I understand you right, you just want to block the user from
accessing the system via ssh, right? You can write your own
active-response script for example. A script that will add the user to a
list that isn't allowed to access the system via ssh for example. You
should take a look to the sshd_config manual for options like this.

Regards

Andre Pawlowski

---

Any fool can write code that a computer can understand.
Good programmers write code that humans can understand.
-Martin Fowler

On 04/29/2010 05:38 PM, Jeremy Lee wrote:
 Thanks, I created a new rule in sshd_rules to trip whenever it sees a
 Failed password from root message. And it works. The issue is with the
 way the blocking is occurring. I can have the firewall-drop.sh script
 fire whenever the rule trips, but it will drop the IP completely. I
 don't want this to happen. I guess this would go outside of the bounds
 of OSSEC, but is there a way to block by user per IP? Sorry if I missed
 something...
 
 On Wed, Apr 28, 2010 at 10:52 PM, Andre Pawlowski sq...@h4des.org
 mailto:sq...@h4des.org wrote:
 
 
 
 On 04/29/2010 12:11 AM, jplee3 wrote:
  Hi all,
 
  Forgive me if this has been covered somewhere, but I haven't come
  across it.
 
 
  Is there a way to have OSSEC Active Response block a particular user
  from logging in? I don't care about thresholds or # of attempts. If I
  see, 'root' for instance, attempting to logon to a server at all, can
  OSSEC match on that and drop that username and source IP immediately?
 
 
 
 Yes there is a way. You have to write your own rule for that. Than OSSEC
 will block the user immidiately.
 
 Here is an example for a decoder and a rule. The decoder for ssh exists
 so the rule is enough.
 
 http://www.madirish.net/?article=434
 
 Regards
 
 Andre Pawlowski
 
 ---
 
 Wenn eine Idee nicht zuerst absurd erscheint, taugt sie nichts.
-Albert Einstein

[ossec-list] OSSEC Active Response Block on pattern-matched SSH user logins

2010-04-28 Thread jplee3 
Hi all,

Forgive me if this has been covered somewhere, but I haven't come
across it.


Is there a way to have OSSEC Active Response block a particular user
from logging in? I don't care about thresholds or # of attempts. If I
see, 'root' for instance, attempting to logon to a server at all, can
OSSEC match on that and drop that username and source IP immediately?


Additionally, one question on timeouts. Is the timeout flag in
seconds or in minutes? If so, I tried setting timeout1/timeout
but it took 54 seconds to delete from the firewall-drop.sh script. If
it is in fact in minutes, how would I set it up to unblock in seconds?
Otherwise, if the flag should be seconds, is there a reason why it
would take 54 seconds to respond when I set the timeout to 1 second. I
know this doesn't make much sense (in terms of setting to 1 second)
but I tested with 5 and even 30 seconds and it still took a minute to
unblock.

Thanks in advance!