Here are the alerts I get from ossec, so I know it sees the attacks and the level is 10 so it should be taking action. I have the active-response set for anything over level 8 I think:
Rule: 40111 fired (level 10) -> "Multiple authentication failures." Portion of the log(s): Feb 1 06:39:33 server1 ipop3d[33069]: Login failed user=info auth=info host=[12.36.252.93] Feb 1 06:39:30 server1 ipop3d[33068]: Login failed user=info auth=info host=[12.36.252.93] Feb 1 06:39:27 server1 ipop3d[33067]: Login failed user=info auth=info host=[12.36.252.93] Feb 1 06:39:20 server1 ipop3d[33065]: Login failed user=info auth=info host=[12.36.252.93] Feb 1 06:39:17 server1 ipop3d[33064]: Login failed user=info auth=info host=[12.36.252.93] Feb 1 06:39:14 server1 ipop3d[33063]: Login failed user=info auth=info host=[12.36.252.93] Rule: 5712 fired (level 10) -> "SSHD brute force trying to get access to the system." Portion of the log(s): Feb 1 02:57:18 server1 sshd[21791]: Invalid user mbrown from 222.87.204.13 Feb 1 02:56:40 server1 sshd[21720]: Invalid user f1astra from 222.87.204.13 Feb 1 02:56:34 server1 sshd[21703]: Invalid user dan from 222.87.204.13 Feb 1 02:56:04 server1 sshd[21668]: Invalid user janab from 222.87.204.13 Feb 1 02:55:58 server1 sshd[21633]: Invalid user r00t from 222.87.204.13 The sshd brute force one sometimes results in the host-deny and firewall-drop active response rules firing and the active-response works fine. Maybe I need to adjust the frequency or timing for these rules somehow? Thanks for any help you can give.
