Hi, Actually I have this deployed at another location, I'll be able to access it tomorrow only. So I want to have something concrete in my hand to implement.
Sorry, if its inconvenience for you. I simply want to disable user account for a specific amount of time. Regards On Tue, Jul 17, 2012 at 10:15 PM, dan (ddp) <[email protected]> wrote: > On Tue, Jul 17, 2012 at 12:26 PM, sahil sharma > <[email protected]> wrote: > > Please tell if you have any idea for the linux. So as to how block on > linux > > machine(administration)??? > > It would be great help. > > > > Did you read my mail? What do you want to "block" _specifically_? Do > you want to disable the user account? Do you want to block the src > ip? Do a little bit of work here to help yourself. > > > > > On Tue, Jul 17, 2012 at 8:49 PM, dan (ddp) <[email protected]> wrote: > >> > >> On Tue, Jul 17, 2012 at 11:10 AM, sahil sharma > >> <[email protected]> wrote: > >> > Also::: > >> > > >> > 1) I have put <rule_id>1100001</rule_id> with host-deny at > >> > ossec-config. > >> > (1100001) is the rule I have defined for multiple logon failure > events) > >> > > >> > 2) Active response is enabled. > >> > > >> > Still user triggering this rule is not being blocked even after > entering > >> > wrong > >> > password multiple times. > >> > > >> > > >> > > >> > On Tue, Jul 17, 2012 at 8:36 PM, sahil sharma > >> > <[email protected]> > >> > wrote: > >> >> > >> >> Hi, > >> >> > >> >> I guess there is some misunderstanding, may be I had written > something > >> >> confusing::: > >> >> > >> >> My requirement is simple, I want to block a user if he enters wrong > >> >> password(multiple times) to > >> >> log on to windows client. > >> >> > >> >> I have already defined a local rule for "multiple logon faiure" and > >> >> tested > >> >> the same, its working > >> >> perfectly fine. > >> >> > >> >> Now, I just want to block a client for next "5 minutes" or so if he > >> >> triggers this rule. > >> >> > >> >> Please tell me what should I do step by step to ensure this blocking. > >> >> > >> >> Sorry, if its a lengthy thing for you. > >> >> > >> >> Regards > >> >> Sahil. > >> >> > >> > >> Answering these questions will help you figure out how to solve this: > >> How are users logging in? - This will determine how you want to block > >> them. Can you block the source host, or do you need to disable the > >> account? > >> > >> How is rule 18106 decoded (with the specific log messages you're > >> worried about)? - If you're going to disable the account, the user > >> needs to be decoded. Same goes for the srcip if you're blocking by > >> host. > >> > >> Based on your answers to those questions you should be able to > >> determine what the active response command should do (create a null > >> route, disable a user, modify a firewall, etc.), where it should run > >> (on the agent, on the server, on a specific host), and if you have to > >> modify decoders to actually accomplish what you want to do. > >> > >> I don't know enough about Windows administration to give you step by > >> step instructions. You'll have to do some work yourself (or hire > >> someone technical). > > > > >
