Thank you so much for putting me in the right direction. I was going in a wrong direction, I hope things will now work.
Cheers!!! Regards. On Tue, Jul 17, 2012 at 10:41 PM, dan (ddp) <[email protected]> wrote: > On Tue, Jul 17, 2012 at 1:05 PM, sahil sharma <[email protected]> > wrote: > > Hi, > > > > Actually I have this deployed at another location, I'll be able to > access it > > tomorrow only. > > So I want to have something concrete in my hand to implement. > > > > Sorry, if its inconvenience for you. > > > > It's less of an inconvenience and more of a disappointment. > > > I simply want to disable user account for a specific amount of time. > > > > Regards > > > > Configure login failures to run the disable-account.sh active response > (assuming you aren't using centralized auth). > > Untested: > <command> > <name>disable-account</name> > <executable>disable-account.sh</executable> > <expect>user</expect> > </command> > <active-response> > <command>disable-account</command> > <location>local</location> > <rules_group>authentication_failed,authentication_failure</rules_group> > </actie-response> > > > On Tue, Jul 17, 2012 at 10:15 PM, dan (ddp) <[email protected]> wrote: > >> > >> On Tue, Jul 17, 2012 at 12:26 PM, sahil sharma > >> <[email protected]> wrote: > >> > Please tell if you have any idea for the linux. So as to how block on > >> > linux > >> > machine(administration)??? > >> > It would be great help. > >> > > >> > >> Did you read my mail? What do you want to "block" _specifically_? Do > >> you want to disable the user account? Do you want to block the src > >> ip? Do a little bit of work here to help yourself. > >> > >> > > >> > On Tue, Jul 17, 2012 at 8:49 PM, dan (ddp) <[email protected]> wrote: > >> >> > >> >> On Tue, Jul 17, 2012 at 11:10 AM, sahil sharma > >> >> <[email protected]> wrote: > >> >> > Also::: > >> >> > > >> >> > 1) I have put <rule_id>1100001</rule_id> with host-deny at > >> >> > ossec-config. > >> >> > (1100001) is the rule I have defined for multiple logon failure > >> >> > events) > >> >> > > >> >> > 2) Active response is enabled. > >> >> > > >> >> > Still user triggering this rule is not being blocked even after > >> >> > entering > >> >> > wrong > >> >> > password multiple times. > >> >> > > >> >> > > >> >> > > >> >> > On Tue, Jul 17, 2012 at 8:36 PM, sahil sharma > >> >> > <[email protected]> > >> >> > wrote: > >> >> >> > >> >> >> Hi, > >> >> >> > >> >> >> I guess there is some misunderstanding, may be I had written > >> >> >> something > >> >> >> confusing::: > >> >> >> > >> >> >> My requirement is simple, I want to block a user if he enters > wrong > >> >> >> password(multiple times) to > >> >> >> log on to windows client. > >> >> >> > >> >> >> I have already defined a local rule for "multiple logon faiure" > and > >> >> >> tested > >> >> >> the same, its working > >> >> >> perfectly fine. > >> >> >> > >> >> >> Now, I just want to block a client for next "5 minutes" or so if > he > >> >> >> triggers this rule. > >> >> >> > >> >> >> Please tell me what should I do step by step to ensure this > >> >> >> blocking. > >> >> >> > >> >> >> Sorry, if its a lengthy thing for you. > >> >> >> > >> >> >> Regards > >> >> >> Sahil. > >> >> >> > >> >> > >> >> Answering these questions will help you figure out how to solve this: > >> >> How are users logging in? - This will determine how you want to block > >> >> them. Can you block the source host, or do you need to disable the > >> >> account? > >> >> > >> >> How is rule 18106 decoded (with the specific log messages you're > >> >> worried about)? - If you're going to disable the account, the user > >> >> needs to be decoded. Same goes for the srcip if you're blocking by > >> >> host. > >> >> > >> >> Based on your answers to those questions you should be able to > >> >> determine what the active response command should do (create a null > >> >> route, disable a user, modify a firewall, etc.), where it should run > >> >> (on the agent, on the server, on a specific host), and if you have to > >> >> modify decoders to actually accomplish what you want to do. > >> >> > >> >> I don't know enough about Windows administration to give you step by > >> >> step instructions. You'll have to do some work yourself (or hire > >> >> someone technical). > >> > > >> > > > > > >
