On Wed, Aug 22, 2012 at 6:18 AM, Michael Clark <[email protected]> wrote: > I've been using OSSEC for a while, but only with the default rules. > I've experimented, but just not understanding how to make a custom rule > kick in when a loser tries guessing passwords to a non-existent user. > Basically, if someone uses dovecot and tries a password for the user > "root" (or admin, or adm, or a bunch of others that I frequently see) I > want the IP blocked on the first request. Thanks, Mike >
What have you tried? How is your system currently configured? Why do I have to ask all of these questions? Is active response enabled on the agent and server? Do you have log samples you can provide? Do you really want this to work? Why does the subject say "block based on user" when it seems like you want to block an IP? Are you sure you've tried? Exactly what usernames do you want to cause a block on the first try?
