Hi
I have an issue with failed FTP Logins. The IP address is getting blocked after 1 or 2 failed connections. According to the ossec docs (https://www.ossec.net/docs/syntax/head_rules.html?highlight=frequency#frequency), the frequency is the number of times the rule (inthis case failed FTP connections) must have matched before firing.
When i add <rule id="11306" level="10" frequency="25" timeframe="60"> to the config file /var/ossec/rules/pure-ftpd_rules.xml, it doesn't change anything.
I have restarted the service the ossec service "systemctl restart ossec-hids". Which configuration do i have to change, so that the IP address is nor getting blocked immediately?
This are the FTP Rules in var/ossec/rules/pure-ftpd_rules.xml:
<rule id="11302" level="5">
<if_sid>11300</if_sid>
<match>[WARNING] Authentication failed for user</match>
<description>FTP Authentication failed.</description>
<group>authentication_failed,</group>
</rule>
<rule id="11306" level="10" frequency="6" timeframe="60">
<if_matched_sid>11302</if_matched_sid>
<description>FTP brute force (multiple failed logins).</description>
<group>authentication_failures,</group>
</rule>
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
For more options, visit https://groups.google.com/d/optout.
