On Fri, Dec 30, 2011 at 12:54 PM, Dimitri Yioulos <[email protected]> wrote: > Thanks, Dan. Is anything else required other than to add the > directives to ossec.conf on the agaent? > > Dimitri >
Not that I'm aware of, but I don't do much with repeated_offenders > > On Friday 30 December 2011 8:48:15 am dan (ddp) wrote: >> It belongs on the system that does the AR, most likely the >> agent. >> >> On Dec 30, 2011 8:42 AM, "Dimitri Yioulos" > <[email protected]> wrote: >> > On Thursday 29 December 2011 5:35:44 pm Rainer wrote: >> > > > >> Does the repeated offenders option get recognized? >> > > > >> (you should see messages about it in ossec.log) >> > > > > >> > > > > No, nothing about repeated offenders in ossec.log >> > > > >> > > > Then it didn't get picked up when you restarted the ossec >> > > > processes. >> > > > >> > > > You should see something like this (from another thread): >> > > > "ossec-execd: INFO: Adding offenders timeout: 30 (for >> > > > #1)" >> > > >> > > hm, nothing. I'll try to play around with the place of the >> > > statement like you suggested below. >> > > >> > > > The first time an IP is blocked it should be blocked for >> > > > the default timeout period (you have 900 set). After this >> > > > time period the IP will be unblocked. The next time it is >> > > > blocked it will be blocked for the first repeated >> > > > offenders timeout (30 minutes in your example). >> > > >> > > So the "next time" is "whenever an attack comes from this >> > > IP again"? My understanding of you is that there is no >> > > timeout. If the next attack from that IP would be in 4 >> > > weeks, repeated offenders would be triggered. right? >> > > >> > > > I don't know if the order matters in this case, but you >> > > > could try moving the repeated_offenders configuration to >> > > > after the default timeout. >> > >> > I'm now jumping into this thread because I realize that >> > "repeat offenders" isn't working for me either. I see the >> > pertinent directives for "repeat offenders" in ossec.conf on >> > the ossec server, but not on the box where the offense is >> > taking place. Does the directive belong there? >> > >> > Thanks. >> > >> > Dimitri >> > >> > -- >> > This message has been scanned for viruses and >> > dangerous content by MailScanner, and is >> > believed to be clean. > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. >
