On 04/29/2010 12:11 AM, jplee3 wrote: > Hi all, > > Forgive me if this has been covered somewhere, but I haven't come > across it. > > > Is there a way to have OSSEC Active Response block a particular user > from logging in? I don't care about thresholds or # of attempts. If I > see, 'root' for instance, attempting to logon to a server at all, can > OSSEC match on that and drop that username and source IP immediately? > >
Yes there is a way. You have to write your own rule for that. Than OSSEC will block the user immidiately. Here is an example for a decoder and a rule. The decoder for ssh exists so the rule is enough. http://www.madirish.net/?article=434 Regards Andre Pawlowski ------------------------------------------------------------------- Wenn eine Idee nicht zuerst absurd erscheint, taugt sie nichts. -Albert Einstein
