Most of the ossec active response scripts are pretty simple, but there isn't anything stopping you from extending one to fit this goal. You could take whichever script you're currently using and add some parts to keep track of who was banned previously and when. Then do a lookup on that, ban again for longer, and update the database. Which script are you currently using to block those IPs?
On Wed, May 5, 2010 at 11:37 PM, [email protected] <[email protected]> wrote: > Hi All, > > Is there a way to make OSSEC extend the Active Response timeout of 600 > sec if it detects the SAME IP continuing to hammer the server after > already being removed the first time. > > Eg: Here we have 81.208.15.156 continually trying to FTP in with the > user Administrator using some dictionary attack. OSSEC detects this > and bans them for 10 mins. When the IP is removed, the dictionary > attack continues and they end up being banned again. On the second > detection, can we add some smarts to OSSEC's Active Response and ban > them for a longer period??? > > Thu May 6 13:08:03 EST 2010 /usr/local/ossec/active-response/bin/ > firewall-drop.sh add - 81.208.15.156 1273115275.2479428 100004 > Thu May 6 13:08:03 EST 2010 /usr/local/ossec/active-response/bin/host- > deny.sh add - 81.208.15.156 1273115275.2479428 100004 > Thu May 6 13:18:33 EST 2010 /usr/local/ossec/active-response/bin/host- > deny.sh delete - 81.208.15.156 1273115275.2479428 100004 > Thu May 6 13:18:33 EST 2010 /usr/local/ossec/active-response/bin/ > firewall-drop.sh delete - 81.208.15.156 1273115275.2479428 100004 > Thu May 6 13:23:44 EST 2010 /usr/local/ossec/active-response/bin/ > firewall-drop.sh add - 81.208.15.156 1273116216.3236494 100004 > Thu May 6 13:23:44 EST 2010 /usr/local/ossec/active-response/bin/host- > deny.sh add - 81.208.15.156 1273116216.3236494 100004 > > Thanks. > > Andy >
