Hi, Please help on this. I tried everything, but nothing seems to be working.
What will host-deny or route-null exactly do when tied with this rule i.e. can I block a user from accessing a windows client for next "xyz"sec if he/she types a wrong password multiple times. Please help. On Mon, Jul 16, 2012 at 12:20 PM, sahil sharma <[email protected]>wrote: > > > >> Check the frequency documentation: >> http://devio.us/~ddp/ossec/docs/syntax/head_rules.html >> >> > Thanks for the information. > > >> > *2) I want to block the client that has triggered this rule so that he >> > doesn't get chance to login anymore >> > >> > (block the client). How can I do it? I tried adding this rule >> on >> > "active response" field wih "timeout=600" . >> > >> > I guess then, client should be blocked and not allowed to Login >> > into the client for next 600 sec but the >> > >> > client is immediately able to gain access. (I hope I am >> getting it >> > right). >> > >> > >> > Please help. >> >> You forgot to include the configuration you tried. Did you restart the >> ossec processes on the ossec server after making this change? Is >> active response enabled on the agent? >> > > Yes, I restarted ossec server after making this change and I have enabled > the active response in client-config as well. > > In server config ::: > <active-response> > <!-- This response is going to execute the host-deny > - command for every event that fires a rule with > - level (severity) >= 6. > - The IP is going to be blocked for 600 seconds. > --> > <command>host-deny</command> > <location>local</location> > <rules_id>100153</rules_id> > <level>6</level> > <timeout>600</timeout> > </active-response> > > > > In local rules ::: > <rule id="100153" level="10" frequency="2" timeframe="240"> > <if_matched_sid>18106</if_matched_sid> > <description>Multiple window logon failure</description> > </rule> > > > > In agent's config ::: > <active-response> > <disabled>no</disabled> > </active-response> > > > I just want to block a client which triggers this rule "100153", but even > after > multiple logon failure, client is not being blocked for 600seconds. Though, > I can see the alert at the server. > > I hope I am not missing on something. > Please help. >
