Thanks, Dan. Is anything else required other than to add the directives to ossec.conf on the agaent?
Dimitri On Friday 30 December 2011 8:48:15 am dan (ddp) wrote: > It belongs on the system that does the AR, most likely the > agent. > > On Dec 30, 2011 8:42 AM, "Dimitri Yioulos" <dyiou...@onpointfc.com> wrote: > > On Thursday 29 December 2011 5:35:44 pm Rainer wrote: > > > > >> Does the repeated offenders option get recognized? > > > > >> (you should see messages about it in ossec.log) > > > > > > > > > > No, nothing about repeated offenders in ossec.log > > > > > > > > Then it didn't get picked up when you restarted the ossec > > > > processes. > > > > > > > > You should see something like this (from another thread): > > > > "ossec-execd: INFO: Adding offenders timeout: 30 (for > > > > #1)" > > > > > > hm, nothing. I'll try to play around with the place of the > > > statement like you suggested below. > > > > > > > The first time an IP is blocked it should be blocked for > > > > the default timeout period (you have 900 set). After this > > > > time period the IP will be unblocked. The next time it is > > > > blocked it will be blocked for the first repeated > > > > offenders timeout (30 minutes in your example). > > > > > > So the "next time" is "whenever an attack comes from this > > > IP again"? My understanding of you is that there is no > > > timeout. If the next attack from that IP would be in 4 > > > weeks, repeated offenders would be triggered. right? > > > > > > > I don't know if the order matters in this case, but you > > > > could try moving the repeated_offenders configuration to > > > > after the default timeout. > > > > I'm now jumping into this thread because I realize that > > "repeat offenders" isn't working for me either. I see the > > pertinent directives for "repeat offenders" in ossec.conf on > > the ossec server, but not on the box where the offense is > > taking place. Does the directive belong there? > > > > Thanks. > > > > Dimitri > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
