Also::: 1) I have put <rule_id>1100001</rule_id> with host-deny at ossec-config. (1100001) is the rule I have defined for multiple logon failure events)
2) Active response is enabled. Still user triggering this rule is not being blocked even after entering wrong password multiple times. On Tue, Jul 17, 2012 at 8:36 PM, sahil sharma <[email protected]>wrote: > Hi, > > I guess there is some misunderstanding, may be I had written something > confusing::: > > My requirement is simple, I want to block a user if he enters wrong > password(multiple times) to > log on to windows client. > > I have already defined a local rule for "multiple logon faiure" and tested > the same, its working > perfectly fine. > > Now, I just want to block a client for next "5 minutes" or so if he > triggers this rule. > > Please tell me what should I do step by step to ensure this blocking. > > Sorry, if its a lengthy thing for you. > > Regards > Sahil. > > On Tue, Jul 17, 2012 at 8:13 PM, dan (ddp) <[email protected]> wrote: > >> On Mon, Jul 16, 2012 at 2:50 AM, sahil sharma <[email protected]> >> wrote: >> > >> > >> >> >> >> Check the frequency documentation: >> >> http://devio.us/~ddp/ossec/docs/syntax/head_rules.html >> >> >> > >> > Thanks for the information. >> > >> >> >> >> > *2) I want to block the client that has triggered this rule so that >> he >> >> > doesn't get chance to login anymore >> >> > >> >> > (block the client). How can I do it? I tried adding this >> rule >> >> > on >> >> > "active response" field wih "timeout=600" . >> >> > >> >> > I guess then, client should be blocked and not allowed to >> Login >> >> > into the client for next 600 sec but the >> >> > >> >> > client is immediately able to gain access. (I hope I am >> getting >> >> > it >> >> > right). >> >> > >> >> > >> >> > Please help. >> >> >> >> You forgot to include the configuration you tried. Did you restart the >> >> ossec processes on the ossec server after making this change? Is >> >> active response enabled on the agent? >> > >> > >> > Yes, I restarted ossec server after making this change and I have >> enabled >> > the active response in client-config as well. >> > >> >> What does that mean? Other than enabling AR, there shouldn't be any >> configuration necessary on the agents. >> >> > In server config ::: >> > <active-response> >> > <!-- This response is going to execute the host-deny >> > - command for every event that fires a rule with >> > - level (severity) >= 6. >> > - The IP is going to be blocked for 600 seconds. >> > --> >> > <command>host-deny</command> >> > <location>local</location> >> > <rules_id>100153</rules_id> >> > <level>6</level> >> > <timeout>600</timeout> >> > </active-response> >> > >> > >> > >> > In local rules ::: >> > <rule id="100153" level="10" frequency="2" timeframe="240"> >> > <if_matched_sid>18106</if_matched_sid> >> > <description>Multiple window logon failure</description> >> > </rule> >> > >> > >> > >> > In agent's config ::: >> > <active-response> >> > <disabled>no</disabled> >> > </active-response> >> > >> > >> > I just want to block a client which triggers this rule "100153", but >> even >> > after >> > multiple logon failure, client is not being blocked for 600seconds. >> Though, >> > I can see the alert at the server. >> > >> > I hope I am not missing on something. >> > Please help. >> >> You need to make sure the srcip gets decoded properly in rule 18106 >> for this to work properly. Use ossec-logtest to test it. >> > >
