I had a rule in my config for level 6. I also tried to add a rules_id. No luck.
I'm not trying to disable the root account. I'm trying to disable the account of the attacker. Let's say the user "Mickey" tries to su to root. If that user types the correct password they will get in. If they type the wrong password they should be kicked off. I'm assuming the disable-account command does this. I haven't been able to get it working though. On Sep 19, 2011, at 8:42 AM, Steven Stern <subscribed-li...@sterndata.com> wrote: > Disabling root seems like a nice path to a DoS. You'd probably do > better to use a rule to block the offending IP rather than killing > root's account. (Hint from hard personal experience: Exclude your own > IP from the rule.) > > > On 09/19/2011 10:56 AM, dan (ddp) wrote: >> >> On Sep 19, 2011 11:53 AM, "Damien Hull" <dh...@section9.us >> <mailto:dh...@section9.us>> wrote: >>> >>> Here's my configuration for disable-account. It doesn't work. I'm not >> sure I understand how it works. I was hoping a user would get kicked off >> the system after too many failed login attempts. I tried to "su" to root >> and type in the wrong password. I get an email from OSSEC but that's it. >> The user is not kicked off the system. >>> >>> <active-response> >>> <command>disable-account</command> >>> <location>local</location> >>> <timeout>600</timeout> >>> </active-response> >>> >> >> It doesn't look like you list when the AR should fire. Certain sid? >> Certain level? >> Also, I'm not sure the user will be kicked off. The account will be >> disabled, but beyond that I'm not sure (I don't use that script). >> >>> On Sep 18, 2011, at 5:42 PM, "dan (ddp)" <ddp...@gmail.com >> <mailto:ddp...@gmail.com>> wrote: >>> >>>> Why now share your configuration so we can try to help? >>>> >>>> On Sep 18, 2011 9:40 PM, "Damien Hull" <dh...@section9.us >> <mailto:dh...@section9.us>> wrote: >>>>> I just reinstalled OSSEC and configured "disable-account". No luck. It >>>>> doesn't work. >>>>> >>>>> Are there any instructions for this? >>>>> >>>>> Sent from my iPhone >>>>> >>>>> On Sep 18, 2011, at 2:09 PM, Eero Volotinen <eero.voloti...@iki.fi >> <mailto:eero.voloti...@iki.fi>> wrote: >>>>> >>>>>> 2011/9/19 Damien Hull <dh...@section9.us <mailto:dh...@section9.us>>: >>>>>>> I just installed OSSEC version 2.6 on ubuntu 10.04. I tried to >>>>>>> configure OSSEC to disable a user account with no luck. >>>>>>> >>>>>>> I tested it by typing the wrong password into "su". I get an >> email but >>>>>>> the account is still active. >>>>>>> >>>>>>> How do I disable user accounts with OSSEC? >>>>>>> >>>>>> >>>>>> is active response enabled? >>>>>> >>>>>> -- >>>>>> Eero >> > > > -- > -- Steve
