On Thu, Dec 29, 2011 at 4:30 PM, Rainer <[email protected]> wrote: > Hi Dan, thanks for quick reply. > > On Thu, 2011-12-29 at 16:05 -0500, dan (ddp) wrote: >> Does the repeated offenders option get recognized? (you should see >> messages about it in ossec.log) > No, nothing about repeated offenders in ossec.log >
Then it didn't get picked up when you restarted the ossec processes. You should see something like this (from another thread): "ossec-execd: INFO: Adding offenders timeout: 30 (for #1)" >> What version of OSSEC? > 2.6, like I stated in the subject line. Official download version. > Missed that, sorry. >> What platform? > Ubuntu 10.04.2 LTS official ubuntu kernel 2.6.32-37-server > > In what time window should the repeated offenders option be triggered? > repeated attacks in 1 hour? 10 Min. after timeout? How is it supposed to > work? > The first time an IP is blocked it should be blocked for the default timeout period (you have 900 set). After this time period the IP will be unblocked. The next time it is blocked it will be blocked for the first repeated offenders timeout (30 minutes in your example). I don't know if the order matters in this case, but you could try moving the repeated_offenders configuration to after the default timeout. > tia > > Rainer > >> On Thu, Dec 29, 2011 at 3:58 PM, Rainer <[email protected]> wrote: >> > Hi! >> > >> > In my local installation the repated offenders feature is not >> > working. I had an offender on distinct sites on my server (apache >> > virtual hosts on one machine) all day, but active response >> > always worked only with the normal blocking time. >> > > > [logs quoting removed ] >
