Hi, I guess there is some misunderstanding, may be I had written something confusing:::
My requirement is simple, I want to block a user if he enters wrong password(multiple times) to log on to windows client. I have already defined a local rule for "multiple logon faiure" and tested the same, its working perfectly fine. Now, I just want to block a client for next "5 minutes" or so if he triggers this rule. Please tell me what should I do step by step to ensure this blocking. Sorry, if its a lengthy thing for you. Regards Sahil. On Tue, Jul 17, 2012 at 8:13 PM, dan (ddp) <[email protected]> wrote: > On Mon, Jul 16, 2012 at 2:50 AM, sahil sharma <[email protected]> > wrote: > > > > > >> > >> Check the frequency documentation: > >> http://devio.us/~ddp/ossec/docs/syntax/head_rules.html > >> > > > > Thanks for the information. > > > >> > >> > *2) I want to block the client that has triggered this rule so that he > >> > doesn't get chance to login anymore > >> > > >> > (block the client). How can I do it? I tried adding this rule > >> > on > >> > "active response" field wih "timeout=600" . > >> > > >> > I guess then, client should be blocked and not allowed to > Login > >> > into the client for next 600 sec but the > >> > > >> > client is immediately able to gain access. (I hope I am > getting > >> > it > >> > right). > >> > > >> > > >> > Please help. > >> > >> You forgot to include the configuration you tried. Did you restart the > >> ossec processes on the ossec server after making this change? Is > >> active response enabled on the agent? > > > > > > Yes, I restarted ossec server after making this change and I have enabled > > the active response in client-config as well. > > > > What does that mean? Other than enabling AR, there shouldn't be any > configuration necessary on the agents. > > > In server config ::: > > <active-response> > > <!-- This response is going to execute the host-deny > > - command for every event that fires a rule with > > - level (severity) >= 6. > > - The IP is going to be blocked for 600 seconds. > > --> > > <command>host-deny</command> > > <location>local</location> > > <rules_id>100153</rules_id> > > <level>6</level> > > <timeout>600</timeout> > > </active-response> > > > > > > > > In local rules ::: > > <rule id="100153" level="10" frequency="2" timeframe="240"> > > <if_matched_sid>18106</if_matched_sid> > > <description>Multiple window logon failure</description> > > </rule> > > > > > > > > In agent's config ::: > > <active-response> > > <disabled>no</disabled> > > </active-response> > > > > > > I just want to block a client which triggers this rule "100153", but even > > after > > multiple logon failure, client is not being blocked for 600seconds. > Though, > > I can see the alert at the server. > > > > I hope I am not missing on something. > > Please help. > > You need to make sure the srcip gets decoded properly in rule 18106 > for this to work properly. Use ossec-logtest to test it. >
