Disabling root seems like a nice path to a DoS. You'd probably do better to use a rule to block the offending IP rather than killing root's account. (Hint from hard personal experience: Exclude your own IP from the rule.)
On 09/19/2011 10:56 AM, dan (ddp) wrote: > > On Sep 19, 2011 11:53 AM, "Damien Hull" <dh...@section9.us > <mailto:dh...@section9.us>> wrote: >> >> Here's my configuration for disable-account. It doesn't work. I'm not > sure I understand how it works. I was hoping a user would get kicked off > the system after too many failed login attempts. I tried to "su" to root > and type in the wrong password. I get an email from OSSEC but that's it. > The user is not kicked off the system. >> >> <active-response> >> <command>disable-account</command> >> <location>local</location> >> <timeout>600</timeout> >> </active-response> >> > > It doesn't look like you list when the AR should fire. Certain sid? > Certain level? > Also, I'm not sure the user will be kicked off. The account will be > disabled, but beyond that I'm not sure (I don't use that script). > >> On Sep 18, 2011, at 5:42 PM, "dan (ddp)" <ddp...@gmail.com > <mailto:ddp...@gmail.com>> wrote: >> >>> Why now share your configuration so we can try to help? >>> >>> On Sep 18, 2011 9:40 PM, "Damien Hull" <dh...@section9.us > <mailto:dh...@section9.us>> wrote: >>> > I just reinstalled OSSEC and configured "disable-account". No luck. It >>> > doesn't work. >>> > >>> > Are there any instructions for this? >>> > >>> > Sent from my iPhone >>> > >>> > On Sep 18, 2011, at 2:09 PM, Eero Volotinen <eero.voloti...@iki.fi > <mailto:eero.voloti...@iki.fi>> wrote: >>> > >>> >> 2011/9/19 Damien Hull <dh...@section9.us <mailto:dh...@section9.us>>: >>> >>> I just installed OSSEC version 2.6 on ubuntu 10.04. I tried to >>> >>> configure OSSEC to disable a user account with no luck. >>> >>> >>> >>> I tested it by typing the wrong password into "su". I get an > email but >>> >>> the account is still active. >>> >>> >>> >>> How do I disable user accounts with OSSEC? >>> >>> >>> >> >>> >> is active response enabled? >>> >> >>> >> -- >>> >> Eero > -- -- Steve