On Wed, Oct 2, 2013 at 8:49 AM, FSoyer <[email protected]> wrote: > Hi list, > I was unable to find an answer to this question in the posts. But it seems > strange to me that no one had this need, so sorry if this has been discussed > before. > I've a server-agent architecture (say : one server, 20 agents). Is there a > way to detect a scan, for example based on multiple login attempts failed > from same IP on some (or all) agents, but instead of blocking individually, > sequentially, the hacker's ip on each agent when the scan is detected, > configure the server to say "block this IP on ALL agents if it has been > detected as a scan attempt on at least 2 (or 3) agents" ? > Hope this is clear :) > > Thanx > Frank >
Yes. Write a rule looking for authentication failures from the same ip, and setup active response to block on all agents. > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
