Re: [ossec-list] OSSEC Active Response Block on pattern-matched SSH user logins

2017-06-29 Thread Rahul Tiwari 


0down votefavorite 
<https://stackoverflow.com/questions/44796772/block-ssh-user-ip-after-failed-login-attempt-in-ossec#>

I need to block the user ip after 3 times login failed attempt in ossec I 
tried below in sshd_rules file


5716

Multiple SSHD authentication failures.
authentication_failures,
  

But its blocking the user ip after 10 attempt please help me out



On Friday, June 16, 2017 at 1:16:39 AM UTC+5:30, dan (ddpbsd) wrote:
>
> On Thu, Jun 15, 2017 at 6:39 AM, Rahul Tiwari <rtiwa...@gmail.com 
> > wrote: 
> > Can you please provide the rule i am also having the same issue i need 
> to 
> > block the user after failed attempts. 
> > Please help 
> > 
>
> What is stopping you from creating a rule? 
> Do you have log samples to help us help you? 
>
> > On Thursday, April 29, 2010 at 3:41:48 AM UTC+5:30, JL wrote: 
> >> 
> >> Hi all, 
> >> 
> >> Forgive me if this has been covered somewhere, but I haven't come 
> >> across it. 
> >> 
> >> 
> >> Is there a way to have OSSEC Active Response block a particular user 
> >> from logging in? I don't care about thresholds or # of attempts. If I 
> >> see, 'root' for instance, attempting to logon to a server at all, can 
> >> OSSEC match on that and drop that username and source IP immediately? 
> >> 
> >> 
> >> Additionally, one question on timeouts. Is the  flag in 
> >> seconds or in minutes? If so, I tried setting "1" 
> >> but it took 54 seconds to delete from the firewall-drop.sh script. If 
> >> it is in fact in minutes, how would I set it up to unblock in seconds? 
> >> Otherwise, if the flag should be seconds, is there a reason why it 
> >> would take 54 seconds to respond when I set the timeout to 1 second. I 
> >> know this doesn't make much sense (in terms of setting to 1 second) 
> >> but I tested with 5 and even 30 seconds and it still took a minute to 
> >> unblock. 
> >> 
> >> Thanks in advance! 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups 
> > "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an 
> > email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] OSSEC Active Response Block on pattern-matched SSH user logins

2017-06-15 Thread Rahul Tiwari 
Can you please provide the rule i am also having the same issue i need to 
block the user after failed attempts.
Please help

On Thursday, April 29, 2010 at 3:41:48 AM UTC+5:30, JL wrote:
>
> Hi all, 
>
> Forgive me if this has been covered somewhere, but I haven't come 
> across it. 
>
>
> Is there a way to have OSSEC Active Response block a particular user 
> from logging in? I don't care about thresholds or # of attempts. If I 
> see, 'root' for instance, attempting to logon to a server at all, can 
> OSSEC match on that and drop that username and source IP immediately? 
>
>
> Additionally, one question on timeouts. Is the  flag in 
> seconds or in minutes? If so, I tried setting "1" 
> but it took 54 seconds to delete from the firewall-drop.sh script. If 
> it is in fact in minutes, how would I set it up to unblock in seconds? 
> Otherwise, if the flag should be seconds, is there a reason why it 
> would take 54 seconds to respond when I set the timeout to 1 second. I 
> know this doesn't make much sense (in terms of setting to 1 second) 
> but I tested with 5 and even 30 seconds and it still took a minute to 
> unblock. 
>
> Thanks in advance! 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Block ssh user ip after failed login attempt in OSSEC

2017-06-28 Thread Rahul Tiwari 


I need to block the user ip after 3 times login failed attempt in ossec I 
tried below in sshd_rules file


5716

Multiple SSHD authentication failures.
authentication_failures,
  

But its blocking the user ip after 10 attempt please help me out

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.