Thanks much, and to you and all have a very happy new year!
On Friday 30 December 2011 4:49:51 pm dan (ddp) wrote: > On Fri, Dec 30, 2011 at 12:54 PM, Dimitri Yioulos > > <dyiou...@onpointfc.com> wrote: > > Thanks, Dan. Is anything else required other than to add the > > directives to ossec.conf on the agaent? > > > > Dimitri > > Not that I'm aware of, but I don't do much with > repeated_offenders > > > On Friday 30 December 2011 8:48:15 am dan (ddp) wrote: > >> It belongs on the system that does the AR, most likely the > >> agent. > >> > >> On Dec 30, 2011 8:42 AM, "Dimitri Yioulos" > > > > <dyiou...@onpointfc.com> wrote: > >> > On Thursday 29 December 2011 5:35:44 pm Rainer wrote: > >> > > > >> Does the repeated offenders option get recognized? > >> > > > >> (you should see messages about it in ossec.log) > >> > > > > > >> > > > > No, nothing about repeated offenders in ossec.log > >> > > > > >> > > > Then it didn't get picked up when you restarted the > >> > > > ossec processes. > >> > > > > >> > > > You should see something like this (from another > >> > > > thread): "ossec-execd: INFO: Adding offenders timeout: > >> > > > 30 (for #1)" > >> > > > >> > > hm, nothing. I'll try to play around with the place of > >> > > the statement like you suggested below. > >> > > > >> > > > The first time an IP is blocked it should be blocked > >> > > > for the default timeout period (you have 900 set). > >> > > > After this time period the IP will be unblocked. The > >> > > > next time it is blocked it will be blocked for the > >> > > > first repeated offenders timeout (30 minutes in your > >> > > > example). > >> > > > >> > > So the "next time" is "whenever an attack comes from > >> > > this IP again"? My understanding of you is that there is > >> > > no timeout. If the next attack from that IP would be in > >> > > 4 weeks, repeated offenders would be triggered. right? > >> > > > >> > > > I don't know if the order matters in this case, but > >> > > > you could try moving the repeated_offenders > >> > > > configuration to after the default timeout. > >> > > >> > I'm now jumping into this thread because I realize that > >> > "repeat offenders" isn't working for me either. I see the > >> > pertinent directives for "repeat offenders" in ossec.conf > >> > on the ossec server, but not on the box where the offense > >> > is taking place. Does the directive belong there? > >> > > >> > Thanks. > >> > > >> > Dimitri > >> > > >> > -- > >> > This message has been scanned for viruses and > >> > dangerous content by MailScanner, and is > >> > believed to be clean. > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
