I have a recently new setup - within the last week. It is now sending the alert on the brute force FTP login attempt, which I asked about early. The Active Response also seems to be working to add an entry to the server routing table with a gateway address set to the same address as the interface on the server.
But a few seconds after the null route was added automatically, I was still able to login via FTP from the IP I was using with the multiple bad logins. So, it seems as though OSSec is doing what I'm expecting it to do, but I'm not blocked from logging in still. I was thinking this could be because of having multiple IP addresses on the NIC, but even when using IP address specifically when trying to login (the same IP address that had the route entry added), it still lets me then login from the source ip that I'm thinking should be blocked. Any ideas on why I can still login? The route entry added is similar to: Network Destination | Netmask | Gateway | Interface | Metric 10.100.100.10 | 255.255.255.255 | 192.168.20.10 | 192.168.20.10 | 1 where 10.100.100.10 is an internal host, going through a PIX to the Windows IIS server on a DMZ. Windows IIS server has the OSSec agent. 192.168.20.10 is the IIS interface and the IP address OSSec knows about. But even when this null route is set, I can ftp from the 10.100.100.10 server to the 192.168.20.10 server and get successfully logged in. TIA for any help, Greg
