Hi everyone,
I need some help.
We have installed the ossec server 1.6.1 at a Debian system and 2
agents: 1 at FreeBSD and one at Windows XP.
If we test a bruteforce attack at the FreeBSD agent or the Windows XP
agent, the attacker is blocked at the 3 machines.
However, if we do a bruteforce attack at the server, the attacker is
blocked at the server but not at the agents.
This is sample of our ossec.conf
<active-response>
<command>host-deny</command>
<location>all</location>
<level>6</level>
<timeout>60</timeout>
</active-response>
<active-response>
<command>host-deny</command>
<location>server</location>
<level>6</level>
<timeout>60</timeout>
</active-response>
<active-response>
<command>firewall-drop</command>
<location>all</location>
<level>6</level>
<timeout>60</timeout>
</active-response>
<active-response>
<command>firewall-drop</command>
<location>server</location>
<level>6</level>
<timeout>60</timeout>
</active-response>
<active-response>
<command>win_nullroute</command>
<location>all</location>
<level>6</level>
<timeout>60</timeout>
</active-response>
<active-response>
<command>win_nullroute</command>
<location>server</location>
<level>6</level>
<timeout>60</timeout>
</active-response>
Does anyone know what could cause this problem?
