On Thu, Mar 23, 2017 at 12:29 PM, The Dude <[email protected]> wrote: > I went with the first option. Works as expected but now I need to adjust the > number of of fails before the ip is blocked.. Where do I do that? >
Try using 5720 for the rule to trigger active response. It looks for 8+ instances by default. > > On Monday, March 20, 2017 at 2:56:29 PM UTC-4, The Dude wrote: >> >> I am new to ossec and I am trying to figure out what is the best way to >> change a rule. In the ossec.conf it says this >> >>> <!-- Active Response Config --> >>> <active-response> >>> <!-- This response is going to execute the host-deny >>> - command for every event that fires a rule with >>> - level (severity) >= 6. >>> - The IP is going to be blocked for 600 seconds. >>> --> >>> <command>host-deny</command> >>> <location>local</location> >>> <level>6</level> >>> <timeout>600</timeout> >>> </active-response> >> >> >> >> >> I am assuming the level it is referring to is the level set in the >> rule.xml So the sshd_rules.xml has this line. >>> >>> >>> <rule id="5716" level="5"> >>> <if_sid>5700</if_sid> >>> <match>^Failed|^error: PAM: Authentication</match> >>> <description>SSHD authentication failed.</description> >>> <group>authentication_failed,</group> >>> >>> </rule> >> >> >> >> When testing failed ssh logins I see the alert in the alert.log for the >> rule above. How should I go about changing the level to 6 so it will get >> blocked? I tried editing the sshd_rules.xml but get the read only warning. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
