On Tue, Jul 17, 2012 at 1:05 PM, sahil sharma <[email protected]> wrote: > Hi, > > Actually I have this deployed at another location, I'll be able to access it > tomorrow only. > So I want to have something concrete in my hand to implement. > > Sorry, if its inconvenience for you. >
It's less of an inconvenience and more of a disappointment. > I simply want to disable user account for a specific amount of time. > > Regards > Configure login failures to run the disable-account.sh active response (assuming you aren't using centralized auth). Untested: <command> <name>disable-account</name> <executable>disable-account.sh</executable> <expect>user</expect> </command> <active-response> <command>disable-account</command> <location>local</location> <rules_group>authentication_failed,authentication_failure</rules_group> </actie-response> > On Tue, Jul 17, 2012 at 10:15 PM, dan (ddp) <[email protected]> wrote: >> >> On Tue, Jul 17, 2012 at 12:26 PM, sahil sharma >> <[email protected]> wrote: >> > Please tell if you have any idea for the linux. So as to how block on >> > linux >> > machine(administration)??? >> > It would be great help. >> > >> >> Did you read my mail? What do you want to "block" _specifically_? Do >> you want to disable the user account? Do you want to block the src >> ip? Do a little bit of work here to help yourself. >> >> > >> > On Tue, Jul 17, 2012 at 8:49 PM, dan (ddp) <[email protected]> wrote: >> >> >> >> On Tue, Jul 17, 2012 at 11:10 AM, sahil sharma >> >> <[email protected]> wrote: >> >> > Also::: >> >> > >> >> > 1) I have put <rule_id>1100001</rule_id> with host-deny at >> >> > ossec-config. >> >> > (1100001) is the rule I have defined for multiple logon failure >> >> > events) >> >> > >> >> > 2) Active response is enabled. >> >> > >> >> > Still user triggering this rule is not being blocked even after >> >> > entering >> >> > wrong >> >> > password multiple times. >> >> > >> >> > >> >> > >> >> > On Tue, Jul 17, 2012 at 8:36 PM, sahil sharma >> >> > <[email protected]> >> >> > wrote: >> >> >> >> >> >> Hi, >> >> >> >> >> >> I guess there is some misunderstanding, may be I had written >> >> >> something >> >> >> confusing::: >> >> >> >> >> >> My requirement is simple, I want to block a user if he enters wrong >> >> >> password(multiple times) to >> >> >> log on to windows client. >> >> >> >> >> >> I have already defined a local rule for "multiple logon faiure" and >> >> >> tested >> >> >> the same, its working >> >> >> perfectly fine. >> >> >> >> >> >> Now, I just want to block a client for next "5 minutes" or so if he >> >> >> triggers this rule. >> >> >> >> >> >> Please tell me what should I do step by step to ensure this >> >> >> blocking. >> >> >> >> >> >> Sorry, if its a lengthy thing for you. >> >> >> >> >> >> Regards >> >> >> Sahil. >> >> >> >> >> >> >> Answering these questions will help you figure out how to solve this: >> >> How are users logging in? - This will determine how you want to block >> >> them. Can you block the source host, or do you need to disable the >> >> account? >> >> >> >> How is rule 18106 decoded (with the specific log messages you're >> >> worried about)? - If you're going to disable the account, the user >> >> needs to be decoded. Same goes for the srcip if you're blocking by >> >> host. >> >> >> >> Based on your answers to those questions you should be able to >> >> determine what the active response command should do (create a null >> >> route, disable a user, modify a firewall, etc.), where it should run >> >> (on the agent, on the server, on a specific host), and if you have to >> >> modify decoders to actually accomplish what you want to do. >> >> >> >> I don't know enough about Windows administration to give you step by >> >> step instructions. You'll have to do some work yourself (or hire >> >> someone technical). >> > >> > > >
