On Tue, Jul 17, 2012 at 11:10 AM, sahil sharma <[email protected]> wrote: > Also::: > > 1) I have put <rule_id>1100001</rule_id> with host-deny at ossec-config. > (1100001) is the rule I have defined for multiple logon failure events) > > 2) Active response is enabled. > > Still user triggering this rule is not being blocked even after entering > wrong > password multiple times. > > > > On Tue, Jul 17, 2012 at 8:36 PM, sahil sharma <[email protected]> > wrote: >> >> Hi, >> >> I guess there is some misunderstanding, may be I had written something >> confusing::: >> >> My requirement is simple, I want to block a user if he enters wrong >> password(multiple times) to >> log on to windows client. >> >> I have already defined a local rule for "multiple logon faiure" and tested >> the same, its working >> perfectly fine. >> >> Now, I just want to block a client for next "5 minutes" or so if he >> triggers this rule. >> >> Please tell me what should I do step by step to ensure this blocking. >> >> Sorry, if its a lengthy thing for you. >> >> Regards >> Sahil. >>
Answering these questions will help you figure out how to solve this: How are users logging in? - This will determine how you want to block them. Can you block the source host, or do you need to disable the account? How is rule 18106 decoded (with the specific log messages you're worried about)? - If you're going to disable the account, the user needs to be decoded. Same goes for the srcip if you're blocking by host. Based on your answers to those questions you should be able to determine what the active response command should do (create a null route, disable a user, modify a firewall, etc.), where it should run (on the agent, on the server, on a specific host), and if you have to modify decoders to actually accomplish what you want to do. I don't know enough about Windows administration to give you step by step instructions. You'll have to do some work yourself (or hire someone technical).
