Please tell if you have any idea for the linux. So as to how block on linux machine(administration)??? It would be great help.
On Tue, Jul 17, 2012 at 8:49 PM, dan (ddp) <[email protected]> wrote: > On Tue, Jul 17, 2012 at 11:10 AM, sahil sharma > <[email protected]> wrote: > > Also::: > > > > 1) I have put <rule_id>1100001</rule_id> with host-deny at ossec-config. > > (1100001) is the rule I have defined for multiple logon failure events) > > > > 2) Active response is enabled. > > > > Still user triggering this rule is not being blocked even after entering > > wrong > > password multiple times. > > > > > > > > On Tue, Jul 17, 2012 at 8:36 PM, sahil sharma <[email protected] > > > > wrote: > >> > >> Hi, > >> > >> I guess there is some misunderstanding, may be I had written something > >> confusing::: > >> > >> My requirement is simple, I want to block a user if he enters wrong > >> password(multiple times) to > >> log on to windows client. > >> > >> I have already defined a local rule for "multiple logon faiure" and > tested > >> the same, its working > >> perfectly fine. > >> > >> Now, I just want to block a client for next "5 minutes" or so if he > >> triggers this rule. > >> > >> Please tell me what should I do step by step to ensure this blocking. > >> > >> Sorry, if its a lengthy thing for you. > >> > >> Regards > >> Sahil. > >> > > Answering these questions will help you figure out how to solve this: > How are users logging in? - This will determine how you want to block > them. Can you block the source host, or do you need to disable the > account? > > How is rule 18106 decoded (with the specific log messages you're > worried about)? - If you're going to disable the account, the user > needs to be decoded. Same goes for the srcip if you're blocking by > host. > > Based on your answers to those questions you should be able to > determine what the active response command should do (create a null > route, disable a user, modify a firewall, etc.), where it should run > (on the agent, on the server, on a specific host), and if you have to > modify decoders to actually accomplish what you want to do. > > I don't know enough about Windows administration to give you step by > step instructions. You'll have to do some work yourself (or hire > someone technical). >
