On Fri, Nov 18, 2016 at 10:06 AM, Whit Blauvelt <[email protected]> wrote: > Hi Dan, > > Since I skipped answering this: > > On Mon, Nov 14, 2016 at 11:09:52AM -0500, dan (ddp) wrote: > >> > Except in a context of anon FTP servers (does anyone run those any more?) >> > blocking IPs because they connect using valid logins "too often" is a >> > dangerous default. "First, do no harm." >> >> Creating perfect defaults for every environment is nearly impossible. >> Niche and odd-ball usage patterns can cause issues. >> >> Which rule was triggering the alerts? Maybe it's time for a tweak. > > 11301 in pure-ftpd_rules (not to be confused with 11302 for multiple failed > logins). >
I'm not sure why this would trigger anything by default. The level is only 3, and the default for triggering AR is 6. > Whit > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
