Hello,
Thank you for your answer.
I modified the Active-Response in the file /var/ossec/etc/ossec.conf to
look like this;
<!-- Active Response Config -->
<active-response>
<!-- This response is going to execute the host-deny
- command for every event that fires a rule with
- level (severity) >= 6.
- The IP is going to be blocked for 600 seconds.
-->
<command>host-deny</command>
<location>all</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
<active-response>
<!-- Firewall Drop response. Block the IP for
- 600 seconds on the firewall (iptables,
- ipfilter, etc).
-->
<command>firewall-drop</command>
<location>all</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
Then i added the following in /var/ossec/rules/local_rules.xml
<group name="syslog,sshd,">
<rule id="5712" level="10" frequency="3" timeframe="120" ignore="60"
overwrite="yes">
<if_matched_sid>5710</if_matched_sid>
<description>SSHD brute force trying to get access to </description>
<description>the system.</description>
<same_source_ip />
<group>authentication_failures,</group>
</rule>
<rule id="5720" level="10" frequency="3" overwrite="yes">
<if_matched_sid>5716</if_matched_sid>
<same_source_ip />
<description>Multiple SSHD authentication failures.</description>
<group>authentication_failures,</group>
</rule>
</group>
and finally restarted ossec-control, but it ain't working. I can still try
to log after 6 attempts ..
Le mercredi 15 mars 2017 19:01:37 UTC+1, dan (ddpbsd) a écrit :
>
> On Wed, Mar 15, 2017 at 7:25 AM, Martin <[email protected] <javascript:>>
> wrote:
> > Hello,
> >
> > First, i'm sorry if the question has already been asked.
> >
> > So what i'm trying to achieve is this ;
> >
> > If someone fail to log in, too many time on one of my agent, I want this
> ip
> > to be drop on all others agents and the server.
> >
> > Same goes the other way around if someone try on the server i want it to
> be
> > drop on the server and all the agents.
> >
> > I tried to edit the file ossec.conf on the server and put "all' instead
> of
> > 'local'
> >
> >
> > <!-- Active Response Config -->
> > <active-response>
> > <!-- This response is going to execute the host-deny
> > - command for every event that fires a rule with
> > - level (severity) >= 6.
> > - The IP is going to be blocked for 600 seconds.
> > -->
> > <command>host-deny</command>
> > <location>all</location>
> > <level>6</level>
> > <timeout>600</timeout>
> > </active-response>
> >
> >
> > <active-response>
> > <!-- Firewall Drop response. Block the IP for
> > - 600 seconds on the firewall (iptables,
> > - ipfilter, etc).
> > -->
> > <command>firewall-drop</command>
> > <location>all</location>
> > <level>6</level>
> > <timeout>600</timeout>
> > </active-response>
> >
> > If i want to edit the number of failed attempts ssh, which file do I
> have to
> > edit. /var/ossec/rules/sshd_rules.xml ?
> >
>
> You can copy the rule you want to modify to local_rules.xml, and add:
> overwrite="yes"
> to the "<rule" line.
>
> >
> > Thanks for your help,
> > Best regards.
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
