On 03/12/2012 10:49 AM, Dimitri Yioulos wrote: > Anyone have any ideas on this? > > >> All, >> >> Back at the end of last year, I asked about using the repeated-offenders >> feature >> in OH. I added the following directives to ossec.conf on the host that I >> want >> this to work in: >> >> <command> >> <name>host-deny</name> >> <executable>host-deny.sh</executable> >> <expect>srcip</expect> >> <timeout_allowed>yes</timeout_allowed> >> </command> >> >> <active-response> >> <!-- This response is going to execute the host-deny >> - command for every event that fires a rule with >> - level (severity) >= 6. >> - The IP is going to be blocked for 600 seconds. >> --> >> <command>host-deny</command> >> <location>local</location> >> <level>6</level> >> <timeout>600</timeout> >> </active-response> >> >> Despite that, it's not working. Ossec reports the following: >> >> OSSEC HIDS Notification. >> 2012 Mar 07 09:08:16 >> >> Received From: (plymouth) 192.168.1.2->/var/log/messages >> Rule: 40111 fired (level 10) -> "Multiple authentication failures." >> Portion of the log(s): >> >> Mar 7 09:07:44 plymouth ipop3d[29926]: Login failed user=hod auth=hod >> host=201-93-132-240.dsl.telesp.net.br [201.93.132.240] >> ... >> >> However, rather than OH invoking repeated-offenders, and blocking the >> offender >> for 600 seconds, I continue to see the offender make attempts on the host. >> >> What am I missing here?
Can you get onto the server when the block should be in effect? If so, what do you see in /etc/hosts.deny and from "iptables -L"? At the time the blocks should be taking place, do you see anything in /var/log/messages or /var/ossec/logs/active-responses.log? Are you running SELinux in enforcing mode? -- -- Steve
