Hello llehirgen, OSSEC has the functionality of blocking an IP after a specific number of failed attempts. This functionality is performed using the *active-response *capabillity https://www.ossec.net/docs/syntax/head_ossec_config.active-response.html#active-response-block-a-srcip. The link shared is regarding a specific block from the OSSEC documentation that is performing something similar to what you are experiencing:, blocking an IP if a rule within the groups specified is triggered. Could you make sure that you do not have any active response stanza similar to that one in your configuration file found at */var/ossec/etc/osse.conf* by default?
I hope this helps. On Tuesday, November 5, 2019 at 6:31:12 PM UTC+1 llehirgen wrote: > I installed OSSEC HIDS in a Ubuntu 18.04 LTS server in a Virtualbox > virtual machine, for testing purposes. > After OSSEC I installed fail2ban and started to test it. > fail2ban is configured by me for banning an IP after 4 wrong login > attempts via ssh. > So, I tried to ssh connect to my server from another virtual machine, and > after 3 attempts (not 4) I was disconnected and apparently banned for about > 600 seconds. > Now, I wondering what could be happened. > It cannot be fail2ban to have banned me, because fail2ban registered only > 2 attempts and did not ban me. > Is it perhaps OSSEC configured by default to ban an IP after 3 wrong ssh > login attempts? > I could not find documentation. > I noticed that fail2ban enters into play only if there is long time > between two failed ssh login attempts. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/f3f77903-62b8-41ce-8497-30a8946e7495n%40googlegroups.com.
