Re: [ossec-list] OSSEC Active Response Block on pattern-matched SSH user logins

Thu, 29 Apr 2010 10:52:22 -0700 

Hi,

first you should write the rule in the local_rules. This file will never
be touched when you upgrade OSSEC.

And if I understand you right, you just want to block the user from
accessing the system via ssh, right? You can write your own
active-response script for example. A script that will add the user to a
list that isn't allowed to access the system via ssh for example. You
should take a look to the sshd_config manual for options like this.

Regards

Andre Pawlowski

-------------------------------------------------------------------

Any fool can write code that a computer can understand.
Good programmers write code that humans can understand.
        -Martin Fowler

On 04/29/2010 05:38 PM, Jeremy Lee wrote:
> Thanks, I created a new rule in sshd_rules to trip whenever it sees a
> "Failed password from root" message. And it works. The issue is with the
> way the blocking is occurring. I can have the firewall-drop.sh script
> fire whenever the rule trips, but it will drop the IP completely. I
> don't want this to happen. I guess this would go outside of the bounds
> of OSSEC, but is there a way to block by user per IP? Sorry if I missed
> something...
> 
> On Wed, Apr 28, 2010 at 10:52 PM, Andre Pawlowski <[email protected]
> <mailto:[email protected]>> wrote:
> 
> 
> 
>     On 04/29/2010 12:11 AM, jplee3 wrote:
>     > Hi all,
>     >
>     > Forgive me if this has been covered somewhere, but I haven't come
>     > across it.
>     >
>     >
>     > Is there a way to have OSSEC Active Response block a particular user
>     > from logging in? I don't care about thresholds or # of attempts. If I
>     > see, 'root' for instance, attempting to logon to a server at all, can
>     > OSSEC match on that and drop that username and source IP immediately?
>     >
>     >
> 
>     Yes there is a way. You have to write your own rule for that. Than OSSEC
>     will block the user immidiately.
> 
>     Here is an example for a decoder and a rule. The decoder for ssh exists
>     so the rule is enough.
> 
>     http://www.madirish.net/?article=434
> 
>     Regards
> 
>     Andre Pawlowski
> 
>     -------------------------------------------------------------------
> 
>     Wenn eine Idee nicht zuerst absurd erscheint, taugt sie nichts.
>            -Albert Einstein
> 
>

Reply via email to