It belongs on the system that does the AR, most likely the agent. On Dec 30, 2011 8:42 AM, "Dimitri Yioulos" <[email protected]> wrote:
> On Thursday 29 December 2011 5:35:44 pm Rainer wrote: > > > >> Does the repeated offenders option get recognized? (you > > > >> should see messages about it in ossec.log) > > > > > > > > No, nothing about repeated offenders in ossec.log > > > > > > Then it didn't get picked up when you restarted the ossec > > > processes. > > > > > > You should see something like this (from another thread): > > > "ossec-execd: INFO: Adding offenders timeout: 30 (for #1)" > > > > hm, nothing. I'll try to play around with the place of the > > statement like you suggested below. > > > > > The first time an IP is blocked it should be blocked for the > > > default timeout period (you have 900 set). After this time > > > period the IP will be unblocked. The next time it is blocked > > > it will be blocked for the first repeated offenders timeout > > > (30 minutes in your example). > > > > So the "next time" is "whenever an attack comes from this IP > > again"? My understanding of you is that there is no timeout. If > > the next attack from that IP would be in 4 weeks, repeated > > offenders would be triggered. right? > > > > > I don't know if the order matters in this case, but you could > > > try moving the repeated_offenders configuration to after the > > > default timeout. > > I'm now jumping into this thread because I realize that "repeat > offenders" isn't working for me either. I see the pertinent > directives for "repeat offenders" in ossec.conf on the ossec > server, but not on the box where the offense is taking place. > Does the directive belong there? > > Thanks. > > Dimitri > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > >
