Hi Leif,
If you are seeing the file being touched, it is because ossec is acessing it. However, by default, ossec will remove the block after 10 minutes. You mentioned you change the timeout to 24 hours, can you show us your ossec.conf file? In addition to that, ossec logs all responses at /var/ossec/active-response/ossec-hids-responses.log . Do you see any entry in there? Is there anything at /var/ossec/logs/ossec.log that indicates an error ? Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 10/18/06, Leif Kennedy <[EMAIL PROTECTED]> wrote:
Hello, I have have version 0.9.2 of Ossec and am having issues with address not being added to hosts.deny when an active response is triggered. I have the active respnse setup to fire the host.deny command at level 10 I am seeing the /etc/hosts.deny file being touched at that time but no entries are being added. I have the timeout set for 24 hrs Any help would be appreciated Received From: *->/var/log/secure Rule: 5712 fired (level 10) -> "SSHD brute force trying to get access to the system." Portion of the log(s): sshd[17033]: Failed password for invalid user admin from ::ffff: 82.77.140.41 port 62783 ssh2 sshd[17033]: Invalid user admin from ::ffff:82.77.140.41 sshd[17031]: Failed password for invalid user fluffy from ::ffff: 82.77.140.41 port 62619 ssh2 sshd[17031]: Invalid user fluffy from ::ffff:82.77.140.41 sshd[17029]: Failed password for invalid user slasher from ::ffff: 82.77.140.41 port 62485 ssh2 sshd[17029]: Invalid user slasher from ::ffff:82.77.140.41 sshd[17025]: Failed password for invalid user sifak from ::ffff: 82.77.140.41 port 62357 ssh2
