I have ossec 2.6 running on Ubuntu 10.04 LTS. This is a web server running LAMP....
There are several websites on this server. Every now and then OSSEC will block an IP address for accessing a website. This is not an attack of any kind. I've had it happen to me. I'll access a website on the server and bam, blocked. I have it configured to unblock the IP after 10 minutes. I figured after 10 minutes a hacker will get tired and move on. I don't want this to happen with users of my server. Is there a way to configure OSSEC so this doesn't happen? I've never taken the time to tweak OSSEC.... NOTE The latest alert was for Moodle. I'm guessing a user clicked on something and OSSEC didn't like it...
