On Mon, Jan 14, 2013 at 10:28 AM, dan (ddp) <[email protected]> wrote: > On Mon, Jan 14, 2013 at 10:23 AM, Michiel van Es <[email protected]> > wrote: >> >> >> Op maandag 14 januari 2013 15:36:05 UTC+1 schreef dan (ddpbsd) het volgende: >>> >>> On Mon, Jan 14, 2013 at 8:51 AM, Michiel van Es <[email protected]> >>> wrote: >>> > Hello, >>> > >>> > We want to firewall-drop failed logins with SSH after 3 failed >>> > passwords. >>> > We have the following config in /var/ossec/etc/ossec.conf (OSSEC 2.6) >>> > for >>> > the commands and active responses: >>> > >>> > >>> > <command> >>> > <name>host-deny</name> >>> > <executable>host-deny.sh</executable> >>> > <expect>srcip</expect> >>> > <timeout_allowed>yes</timeout_allowed> >>> > </command> >>> > >>> > <command> >>> > <name>firewall-drop</name> >>> > <executable>firewall-drop.sh</executable> >>> > <expect>srcip</expect> >>> > <timeout_allowed>yes</timeout_allowed> >>> > </command> >>> > >>> > <command> >>> > <name>disable-account</name> >>> > <executable>disable-account.sh</executable> >>> > <expect>user</expect> >>> > <timeout_allowed>yes</timeout_allowed> >>> > </command> >>> > >>> > <command> >>> > <name>restart-ossec</name> >>> > <executable>restart-ossec.sh</executable> >>> > <expect></expect> >>> > </command> >>> > >>> > <active-response> >>> > <command>restart-ossec</command> >>> > <location>local</location> >>> > <rules_id>510010</rules_id> >>> > </active-response> >>> > >>> > <active-response> >>> > <disabled>no</disabled> >>> > <command>host-deny</command> >>> > <location>local</location> >>> > <rules_id>2502,5720</rules_id> >>> > <timeout>1800</timeout> >>> > </active-response> >>> > >>> > <active-response> >>> > <disabled>no</disabled> >>> > <command>firewall-drop</command> >>> > <location>local</location> >>> > <rules_id>2502,5720</rules_id> >>> > <timeout>1800</timeout> >>> > </active-response> >>> > >>> > 5720 is using 5716 in sshd_rules.xml for multiple failed logins >>> > (frequency >>> > is 6). >>> > I restarted the ossec-hids on the manager and tried logging in with a >>> > known >>> > and unknown account and with both scenario's the srcip is not being >>> > blocked >>> > after 6 times within 30 seconds. >>> > >>> > Am I missing something? >>> >>> >>frequency=6 means 8 attempts. >>> >> Even after 100 tries it still does not do anything with only 5720. >> The 5716 rule is working correctly and blocking after 1 failed attempt, the >> frequency set for 5720 does nothing. >> Does anyone have a sample SSH active response config for ossec 2.6 which I >> can test and try? >> >> Michiel > > Can you give a log sample that should be triggering 5720?
Never mind, I found one. Are you sure 5720 is being triggered? Is AR enabled on the agent? Have you tried it on a system other than the OSSEC server?
