> >> Does the repeated offenders option get recognized? (you should see > >> messages about it in ossec.log) > > No, nothing about repeated offenders in ossec.log > > > > Then it didn't get picked up when you restarted the ossec processes. > > You should see something like this (from another thread): > "ossec-execd: INFO: Adding offenders timeout: 30 (for #1)"
hm, nothing. I'll try to play around with the place of the statement like you suggested below. > The first time an IP is blocked it should be blocked for the default > timeout period (you have 900 set). After this time period the IP will > be unblocked. The next time it is blocked it will be blocked for the > first repeated offenders timeout (30 minutes in your example). So the "next time" is "whenever an attack comes from this IP again"? My understanding of you is that there is no timeout. If the next attack from that IP would be in 4 weeks, repeated offenders would be triggered. right? > I don't know if the order matters in this case, but you could try > moving the repeated_offenders configuration to after the default > timeout. >
