Hi Thorne, You are right, ossec will by default block the ip address for only a limited period of time. Check at /var/ossec/logs/active-response.log for a list of IP addresses that were blocked.
Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 5/16/07, Thorne Lawler <[EMAIL PROTECTED]> wrote: > > Deltamails, > > Active Response may already be doing this for you. Check out the active > response log. > > By default, Active Response only locks out an IP for five minutes, then > re-enables it. You can extend this by increasing the appropriate value > from 300 in ossec.conf. > > You could probably arrange it so that the list of blocked IPs only ever > grows, and never unblocks them, but I can't get at my OSSEC machine right > now to verify how. > > ...probably should have just shut up and let Daniel answer. :-) > > -- > Thorne Lawler > > Technical Consultant > ICT Outsourcing Services | Infrastructure Services | Unix Storage and > Delivery > KAZ Group Pty Ltd > 360 Elizabeth Street | Melbourne Victoria 3000 > (03) 9631 1747 | 0408 491 552 | Fax: (03) 9654 7334 > [EMAIL PROTECTED] | www.kaz-group.com > -------------------------------------------------------------------------------- > This communication may contain confidential information and/or copyright > material of KAZ Group Pty Ltd ABN 25 002 124 405 and its related bodies > corporate. It may also be the subject of legal professional privilege. If > you > are not an intended recipient, you must not keep, forward, copy, use, save > or > rely on this communication and any such action is unauthorised and > prohibited. > If you have received this communication in error, please reply to this > e-mail to > notify the sender of its incorrect delivery, and then delete both it and > your > reply > > > > > [EMAIL PROTECTED] > Sent by: [email protected] > 17/05/2007 08:32 AM > Please respond to > [email protected] > > > To > [EMAIL PROTECTED] > cc > > Subject > [ossec-list] How to disable IP's trying brute force? Error Alert 10 > > > > > > > I am getting brute force detection alerts. Is it possible to block the IP > which try more then 5 bad login attempts? > > Thanks > > > This communication may contain confidential information and/or copyright > material of KAZ Group Pty Ltd ABN 25 002 124 405 and its related bodies > corporate. It may also be the subject of legal professional privilege. If > you are not an intended recipient, you must not keep, forward, copy, use, > save or rely on this communication and any such action is unauthorised and > prohibited. If you have received this communication in error, please reply > to this e-mail to notify the sender of its incorrect delivery, and then > delete both it and your reply. >
