Hi SupuS, On Mon, Feb 21, 2011 at 6:19 PM, SupuS <[email protected]> wrote: > Hi, > > I would like to block IP address of SSH attacker for 1 hour but I > don't want block other events for that long time. > > In ossec mail I found rule ID: > > Rule: 5712 fired (level 10) -> "SSHD brute force trying to get access > to the system." > > so I put following code to /var/ossec/etc/ossec.conf: > > <active-response> > <!-- This response is going to execute the host-deny > - command every the rule 5712 fires. > - The IP is going to be blocked for 3600 seconds. > --> > <command>host-deny</command> > <location>all</location> > <rules_id>5712</rules_id> > <timeout>3600</timeout> > </active-response> > > <active-response> > <!-- Firewall Drop response. Block the IP for > - 3600 seconds on the firewall (iptables, > - ipfilter, etc) every the rule 5712 fires. > --> > <command>firewall-drop</command> > <location>all</location> > <rules_id>5712</rules_id> > <timeout>3600</timeout> > </active-response> >
I think only one of these (probably the first) will be triggered. > but it doesn't work. Duration of blocking is standard 10 minutes. I > tried set location to local too but with same result. Where is a > problem? I appreciate any help. > > SupuS Try running the OSSEC processes in debug mode. I haven't tried blocking anything for only an hour, but I can't think of a reason it wouldn't work. dan
