On Tue, Jul 17, 2012 at 12:26 PM, sahil sharma <[email protected]> wrote: > Please tell if you have any idea for the linux. So as to how block on linux > machine(administration)??? > It would be great help. >
Did you read my mail? What do you want to "block" _specifically_? Do you want to disable the user account? Do you want to block the src ip? Do a little bit of work here to help yourself. > > On Tue, Jul 17, 2012 at 8:49 PM, dan (ddp) <[email protected]> wrote: >> >> On Tue, Jul 17, 2012 at 11:10 AM, sahil sharma >> <[email protected]> wrote: >> > Also::: >> > >> > 1) I have put <rule_id>1100001</rule_id> with host-deny at >> > ossec-config. >> > (1100001) is the rule I have defined for multiple logon failure events) >> > >> > 2) Active response is enabled. >> > >> > Still user triggering this rule is not being blocked even after entering >> > wrong >> > password multiple times. >> > >> > >> > >> > On Tue, Jul 17, 2012 at 8:36 PM, sahil sharma >> > <[email protected]> >> > wrote: >> >> >> >> Hi, >> >> >> >> I guess there is some misunderstanding, may be I had written something >> >> confusing::: >> >> >> >> My requirement is simple, I want to block a user if he enters wrong >> >> password(multiple times) to >> >> log on to windows client. >> >> >> >> I have already defined a local rule for "multiple logon faiure" and >> >> tested >> >> the same, its working >> >> perfectly fine. >> >> >> >> Now, I just want to block a client for next "5 minutes" or so if he >> >> triggers this rule. >> >> >> >> Please tell me what should I do step by step to ensure this blocking. >> >> >> >> Sorry, if its a lengthy thing for you. >> >> >> >> Regards >> >> Sahil. >> >> >> >> Answering these questions will help you figure out how to solve this: >> How are users logging in? - This will determine how you want to block >> them. Can you block the source host, or do you need to disable the >> account? >> >> How is rule 18106 decoded (with the specific log messages you're >> worried about)? - If you're going to disable the account, the user >> needs to be decoded. Same goes for the srcip if you're blocking by >> host. >> >> Based on your answers to those questions you should be able to >> determine what the active response command should do (create a null >> route, disable a user, modify a firewall, etc.), where it should run >> (on the agent, on the server, on a specific host), and if you have to >> modify decoders to actually accomplish what you want to do. >> >> I don't know enough about Windows administration to give you step by >> step instructions. You'll have to do some work yourself (or hire >> someone technical). > >
