0down votefavorite
<https://stackoverflow.com/questions/44796772/block-ssh-user-ip-after-failed-login-attempt-in-ossec#>
I need to block the user ip after 3 times login failed attempt in ossec I
tried below in sshd_rules file
5716
Multiple SSHD authentication failures.
authentication_failures,
But its blocking the user ip after 10 attempt please help me out
On Friday, June 16, 2017 at 1:16:39 AM UTC+5:30, dan (ddpbsd) wrote:
>
> On Thu, Jun 15, 2017 at 6:39 AM, Rahul Tiwari <rtiwa...@gmail.com
> > wrote:
> > Can you please provide the rule i am also having the same issue i need
> to
> > block the user after failed attempts.
> > Please help
> >
>
> What is stopping you from creating a rule?
> Do you have log samples to help us help you?
>
> > On Thursday, April 29, 2010 at 3:41:48 AM UTC+5:30, JL wrote:
> >>
> >> Hi all,
> >>
> >> Forgive me if this has been covered somewhere, but I haven't come
> >> across it.
> >>
> >>
> >> Is there a way to have OSSEC Active Response block a particular user
> >> from logging in? I don't care about thresholds or # of attempts. If I
> >> see, 'root' for instance, attempting to logon to a server at all, can
> >> OSSEC match on that and drop that username and source IP immediately?
> >>
> >>
> >> Additionally, one question on timeouts. Is the flag in
> >> seconds or in minutes? If so, I tried setting "1"
> >> but it took 54 seconds to delete from the firewall-drop.sh script. If
> >> it is in fact in minutes, how would I set it up to unblock in seconds?
> >> Otherwise, if the flag should be seconds, is there a reason why it
> >> would take 54 seconds to respond when I set the timeout to 1 second. I
> >> know this doesn't make much sense (in terms of setting to 1 second)
> >> but I tested with 5 and even 30 seconds and it still took a minute to
> >> unblock.
> >>
> >> Thanks in advance!
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to ossec-list+...@googlegroups.com .
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.