Hi,
I would like to block IP address of SSH attacker for 1 hour but I
don't want block other events for that long time.
In ossec mail I found rule ID:
Rule: 5712 fired (level 10) -> "SSHD brute force trying to get access
to the system."
so I put following code to /var/ossec/etc/ossec.conf:
<active-response>
<!-- This response is going to execute the host-deny
- command every the rule 5712 fires.
- The IP is going to be blocked for 3600 seconds.
-->
<command>host-deny</command>
<location>all</location>
<rules_id>5712</rules_id>
<timeout>3600</timeout>
</active-response>
<active-response>
<!-- Firewall Drop response. Block the IP for
- 3600 seconds on the firewall (iptables,
- ipfilter, etc) every the rule 5712 fires.
-->
<command>firewall-drop</command>
<location>all</location>
<rules_id>5712</rules_id>
<timeout>3600</timeout>
</active-response>
but it doesn't work. Duration of blocking is standard 10 minutes. I
tried set location to local too but with same result. Where is a
problem? I appreciate any help.
SupuS
