Hi all, Forgive me if this has been covered somewhere, but I haven't come across it.
Is there a way to have OSSEC Active Response block a particular user from logging in? I don't care about thresholds or # of attempts. If I see, 'root' for instance, attempting to logon to a server at all, can OSSEC match on that and drop that username and source IP immediately? Additionally, one question on timeouts. Is the <timeout> flag in seconds or in minutes? If so, I tried setting "<timeout>1</timeout>" but it took 54 seconds to delete from the firewall-drop.sh script. If it is in fact in minutes, how would I set it up to unblock in seconds? Otherwise, if the flag should be seconds, is there a reason why it would take 54 seconds to respond when I set the timeout to 1 second. I know this doesn't make much sense (in terms of setting to 1 second) but I tested with 5 and even 30 seconds and it still took a minute to unblock. Thanks in advance!
