Thanks, I created a new rule in sshd_rules to trip whenever it sees a "Failed password from root" message. And it works. The issue is with the way the blocking is occurring. I can have the firewall-drop.sh script fire whenever the rule trips, but it will drop the IP completely. I don't want this to happen. I guess this would go outside of the bounds of OSSEC, but is there a way to block by user per IP? Sorry if I missed something...
On Wed, Apr 28, 2010 at 10:52 PM, Andre Pawlowski <[email protected]> wrote: > > > On 04/29/2010 12:11 AM, jplee3 wrote: > > Hi all, > > > > Forgive me if this has been covered somewhere, but I haven't come > > across it. > > > > > > Is there a way to have OSSEC Active Response block a particular user > > from logging in? I don't care about thresholds or # of attempts. If I > > see, 'root' for instance, attempting to logon to a server at all, can > > OSSEC match on that and drop that username and source IP immediately? > > > > > > Yes there is a way. You have to write your own rule for that. Than OSSEC > will block the user immidiately. > > Here is an example for a decoder and a rule. The decoder for ssh exists > so the rule is enough. > > http://www.madirish.net/?article=434 > > Regards > > Andre Pawlowski > > ------------------------------------------------------------------- > > Wenn eine Idee nicht zuerst absurd erscheint, taugt sie nichts. > -Albert Einstein >
