On Tue, Jul 17, 2012 at 10:27 AM, sahil sharma <[email protected]> wrote: > Hi, > > Please help on this. I tried everything, but nothing seems to be working. > > What will host-deny or route-null exactly do when tied with this rule i.e. > can I block a user from accessing a windows client for next "xyz"sec > if he/she types a wrong password multiple times. > > Please help. >
The scripts aren't very complicated (the *nix versions anyhow, I haven't looked at the Windows versions). You shouldn't have too much trouble reading them. Those particular commands will block an IP either through (surprise surprise) a hosts.deny file or by creating a null route in the routing table. > > On Mon, Jul 16, 2012 at 12:20 PM, sahil sharma <[email protected]> > wrote: >> >> >> >>> >>> Check the frequency documentation: >>> http://devio.us/~ddp/ossec/docs/syntax/head_rules.html >>> >> >> Thanks for the information. >> >>> >>> > *2) I want to block the client that has triggered this rule so that he >>> > doesn't get chance to login anymore >>> > >>> > (block the client). How can I do it? I tried adding this rule >>> > on >>> > "active response" field wih "timeout=600" . >>> > >>> > I guess then, client should be blocked and not allowed to >>> > Login >>> > into the client for next 600 sec but the >>> > >>> > client is immediately able to gain access. (I hope I am >>> > getting it >>> > right). >>> > >>> > >>> > Please help. >>> >>> You forgot to include the configuration you tried. Did you restart the >>> ossec processes on the ossec server after making this change? Is >>> active response enabled on the agent? >> >> >> Yes, I restarted ossec server after making this change and I have enabled >> the active response in client-config as well. >> >> In server config ::: >> <active-response> >> <!-- This response is going to execute the host-deny >> - command for every event that fires a rule with >> - level (severity) >= 6. >> - The IP is going to be blocked for 600 seconds. >> --> >> <command>host-deny</command> >> <location>local</location> >> <rules_id>100153</rules_id> >> <level>6</level> >> <timeout>600</timeout> >> </active-response> >> >> >> >> In local rules ::: >> <rule id="100153" level="10" frequency="2" timeframe="240"> >> <if_matched_sid>18106</if_matched_sid> >> <description>Multiple window logon failure</description> >> </rule> >> >> >> >> In agent's config ::: >> <active-response> >> <disabled>no</disabled> >> </active-response> >> >> >> I just want to block a client which triggers this rule "100153", but even >> after >> multiple logon failure, client is not being blocked for 600seconds. >> Though, >> I can see the alert at the server. >> >> I hope I am not missing on something. >> Please help. > >
