I have an OSSEC server set up with 4 agents. I have several IP addresses white listed including my own. When I have 3 or 4 unsuccessful SSH login attempts on one of the agents, active response is activated on the agent, and I'm locked out. Have I misconfigured one (or more) of these?
<global> <white_list>127.0.0.1</white_list> <white_list>^localhost.localdomain$</white_list> <white_list>173.203.4.8</white_list> <white_list>173.203.4.9</white_list> <white_list>96.27.202.98</white_list> <white_list>96.27.252.34</white_list> <white_list>67.192.51.163</white_list> <white_list>72.158.59.10</white_list> <white_list>10.5.96.0/24</white_list> <white_list>204.238.82.16/28</white_list> <white_list>63.235.131.224/27</white_list> <white_list>173.203.114.210</white_list> <white_list>50.57.117.175</white_list> <white_list>50.57.155.200</white_list> <white_list>64.244.96.2</white_list> <white_list>12.174.52.170</white_list> <white_list>147.154.122.253</white_list> <white_list>64.14.3.196</white_list> <white_list>64.17.3.220</white_list> <white_list>161.69.30.128/26</white_list> <white_list>165.193.42.64/27</white_list> <white_list>165.193.42.128/27</white_list> <white_list>161.69.14.128/26</white_list> <white_list>12.174.52.160/28</white_list> </global>
