On Mon, Jan 14, 2013 at 10:23 AM, Michiel van Es <[email protected]> wrote: > > > Op maandag 14 januari 2013 15:36:05 UTC+1 schreef dan (ddpbsd) het volgende: >> >> On Mon, Jan 14, 2013 at 8:51 AM, Michiel van Es <[email protected]> >> wrote: >> > Hello, >> > >> > We want to firewall-drop failed logins with SSH after 3 failed >> > passwords. >> > We have the following config in /var/ossec/etc/ossec.conf (OSSEC 2.6) >> > for >> > the commands and active responses: >> > >> > >> > <command> >> > <name>host-deny</name> >> > <executable>host-deny.sh</executable> >> > <expect>srcip</expect> >> > <timeout_allowed>yes</timeout_allowed> >> > </command> >> > >> > <command> >> > <name>firewall-drop</name> >> > <executable>firewall-drop.sh</executable> >> > <expect>srcip</expect> >> > <timeout_allowed>yes</timeout_allowed> >> > </command> >> > >> > <command> >> > <name>disable-account</name> >> > <executable>disable-account.sh</executable> >> > <expect>user</expect> >> > <timeout_allowed>yes</timeout_allowed> >> > </command> >> > >> > <command> >> > <name>restart-ossec</name> >> > <executable>restart-ossec.sh</executable> >> > <expect></expect> >> > </command> >> > >> > <active-response> >> > <command>restart-ossec</command> >> > <location>local</location> >> > <rules_id>510010</rules_id> >> > </active-response> >> > >> > <active-response> >> > <disabled>no</disabled> >> > <command>host-deny</command> >> > <location>local</location> >> > <rules_id>2502,5720</rules_id> >> > <timeout>1800</timeout> >> > </active-response> >> > >> > <active-response> >> > <disabled>no</disabled> >> > <command>firewall-drop</command> >> > <location>local</location> >> > <rules_id>2502,5720</rules_id> >> > <timeout>1800</timeout> >> > </active-response> >> > >> > 5720 is using 5716 in sshd_rules.xml for multiple failed logins >> > (frequency >> > is 6). >> > I restarted the ossec-hids on the manager and tried logging in with a >> > known >> > and unknown account and with both scenario's the srcip is not being >> > blocked >> > after 6 times within 30 seconds. >> > >> > Am I missing something? >> >> >>frequency=6 means 8 attempts. >> > Even after 100 tries it still does not do anything with only 5720. > The 5716 rule is working correctly and blocking after 1 failed attempt, the > frequency set for 5720 does nothing. > Does anyone have a sample SSH active response config for ossec 2.6 which I > can test and try? > > Michiel
Can you give a log sample that should be triggering 5720?
