Manually it's working fine [EMAIL PROTECTED] bin]# /var/ossec/active-response/bin/firewall-drop.sh add root 9.9.9.9
adds IP to #/etc/hosts.deny But when I try SSH from local machine to server running ossec. It's not blocking me for next 600 seconds. Any suggestions please? Thanks On May 17, 2:53 pm, "Daniel Cid" <[EMAIL PROTECTED]> wrote: > Hi Thorne, > > You are right, ossec will by default block the ip address for only a limited > period of time. Check at /var/ossec/logs/active-response.log for a list > of IP addresses that were blocked. > > Hope it helps. > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On 5/16/07, Thorne Lawler <[EMAIL PROTECTED]> wrote: > > > > > Deltamails, > > > Active Response may already be doing this for you. Check out the active > > response log. > > > By default, Active Response only locks out an IP for five minutes, then > > re-enables it. You can extend this by increasing the appropriate value > > from 300 in ossec.conf. > > > You could probably arrange it so that the list of blocked IPs only ever > > grows, and never unblocks them, but I can't get at my OSSEC machine right > > now to verify how. > > > ...probably should have just shut up and let Daniel answer. :-) > > > -- > > Thorne Lawler > > > Technical Consultant > > ICT Outsourcing Services | Infrastructure Services | Unix Storage and > > Delivery > > KAZ Group Pty Ltd > > 360 Elizabeth Street | Melbourne Victoria 3000 > > (03) 9631 1747 | 0408 491 552 | Fax: (03) 9654 7334 > > [EMAIL PROTECTED] | www.kaz-group.com > > -------------------------------------------------------------------------------- > > This communication may contain confidential information and/or copyright > > material of KAZ Group Pty Ltd ABN 25 002 124 405 and its related bodies > > corporate. It may also be the subject of legal professional privilege. If > > you > > are not an intended recipient, you must not keep, forward, copy, use, save > > or > > rely on this communication and any such action is unauthorised and > > prohibited. > > If you have received this communication in error, please reply to this > > e-mail to > > notify the sender of its incorrect delivery, and then delete both it and > > your > > reply > > > [EMAIL PROTECTED] > > Sent by: [email protected] > > 17/05/2007 08:32 AM > > Please respond to > > [email protected] > > > To > > [EMAIL PROTECTED] > > cc > > > Subject > > [ossec-list] How to disable IP's trying brute force? Error Alert 10 > > > I am getting brute force detection alerts. Is it possible to block the IP > > which try more then 5 bad login attempts? > > > Thanks > > > This communication may contain confidential information and/or copyright > > material of KAZ Group Pty Ltd ABN 25 002 124 405 and its related bodies > > corporate. It may also be the subject of legal professional privilege. If > > you are not an intended recipient, you must not keep, forward, copy, use, > > save or rely on this communication and any such action is unauthorised and > > prohibited. If you have received this communication in error, please reply > > to this e-mail to notify the sender of its incorrect delivery, and then > > delete both it and your reply.
