oh i did it and it works great, it can block me before i get my password, thank you so much
Vào Th 4, 23 thg 9, 2020 vào lúc 18:21 Daniel Folch < [email protected]> đã viết: > Hello, > > First, let us start with the active response configuration of the manager > and agent, the configuration you shared should be used on the manager side, > and for the agent you just need to set it like this: > > <active-response> > <disabled>no</disabled> > <ca_store>/var/ossec/etc/wpk_root.pem</ca_store> > <ca_verification>yes</ca_verification> > </active-response> > > As a side note, the rule 5720 is triggered when the rule 5716 activates 8 > times in a short period of time, so having both of them in the active > response is not necessary. > > Hydra tests the passwords in the list sequentially and it is really fast > so if your list only contains few passwords it may be possible for hydra to > test the correct password from the list before active response can shut > down the connection form the IP, this should not happen in a real brute > force attack as the list of passwords would be long enough for active > response to act in time. A possibility to minimize this phenomenom would be > to reduce the number of attempts needed before shutting down. > > Just to verify could you share the length of the list you are using for > this test, and if possible could you try running Hydra like this to verify > that active response is working as intended: > > hydra -l agent -x 1:5:aA1 [AGENT_IP] ssh > > This will try to test all combinations of lowercase characters, uppercase > characters, and numbers with a length between 1 and 5, so it should not be > able to find your password before active response triggers. > > Regards, > Daniel Folch > > On Tuesday, September 22, 2020 at 1:07:58 PM UTC+2, [email protected] > wrote: >> >> Hi everybody >> I have seen an article about configuring active-response to block SSH >> bruteforce on https://wazuh.com/blog/blocking-attacks-active-response/ >> >> I have configured the direction and added some ssh related rules hoping >> that it will prevent the attack, but it doesn't work. >> I configured the following in ossec.conf: >> <command> >> <name> firewall-drop </name> >> <executable> firewall-drop.sh </executable> >> <expect> srcip </expect> >> <timeout_allowed> yes </timeout_allowed> >> </command> >> >> <active-response> >> <command> firewall-drop </command> >> <location> local </location> >> <rules_id> 5712,5716,5720 </rules_id> >> <timeout> 1800 </timeout> >> </active-response> >> >> I still find the password to login after bruteforce, I use the following >> command to attack: >> hydra -l agent -P /home/attacker/Desktop/list.txt 192.168.10.2 -t 4 ssh >> >> Is there any way the active-response can prevent this >> thanks everyone >> > -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ossec-list/cy2mP6V_zl0/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/fc270a22-8c00-4094-a5b5-fed439442598o%40googlegroups.com > <https://groups.google.com/d/msgid/ossec-list/fc270a22-8c00-4094-a5b5-fed439442598o%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAO7JTbF%2B3Ds6MoAp4SVr9woseQ1f%2Bj1RB7OgY3Dw%3DGvfwbp5Sw%40mail.gmail.com.
