Deltamails, Active Response may already be doing this for you. Check out the active response log.
By default, Active Response only locks out an IP for five minutes, then re-enables it. You can extend this by increasing the appropriate value from 300 in ossec.conf. You could probably arrange it so that the list of blocked IPs only ever grows, and never unblocks them, but I can't get at my OSSEC machine right now to verify how. ...probably should have just shut up and let Daniel answer. :-) -- Thorne Lawler Technical Consultant ICT Outsourcing Services | Infrastructure Services | Unix Storage and Delivery KAZ Group Pty Ltd 360 Elizabeth Street | Melbourne Victoria 3000 (03) 9631 1747 | 0408 491 552 | Fax: (03) 9654 7334 [EMAIL PROTECTED] | www.kaz-group.com -------------------------------------------------------------------------------- This communication may contain confidential information and/or copyright material of KAZ Group Pty Ltd ABN 25 002 124 405 and its related bodies corporate. It may also be the subject of legal professional privilege. If you are not an intended recipient, you must not keep, forward, copy, use, save or rely on this communication and any such action is unauthorised and prohibited. If you have received this communication in error, please reply to this e-mail to notify the sender of its incorrect delivery, and then delete both it and your reply [EMAIL PROTECTED] Sent by: [email protected] 17/05/2007 08:32 AM Please respond to [email protected] To [EMAIL PROTECTED] cc Subject [ossec-list] How to disable IP's trying brute force? Error Alert 10 I am getting brute force detection alerts. Is it possible to block the IP which try more then 5 bad login attempts? Thanks This communication may contain confidential information and/or copyright material of KAZ Group Pty Ltd ABN 25 002 124 405 and its related bodies corporate. It may also be the subject of legal professional privilege. If you are not an intended recipient, you must not keep, forward, copy, use, save or rely on this communication and any such action is unauthorised and prohibited. If you have received this communication in error, please reply to this e-mail to notify the sender of its incorrect delivery, and then delete both it and your reply.
