Anyone have any ideas on this?
> All, > > Back at the end of last year, I asked about using the repeated-offenders > feature > in OH. I added the following directives to ossec.conf on the host that I > want > this to work in: > > <command> > <name>host-deny</name> > <executable>host-deny.sh</executable> > <expect>srcip</expect> > <timeout_allowed>yes</timeout_allowed> > </command> > > <active-response> > <!-- This response is going to execute the host-deny > - command for every event that fires a rule with > - level (severity) >= 6. > - The IP is going to be blocked for 600 seconds. > --> > <command>host-deny</command> > <location>local</location> > <level>6</level> > <timeout>600</timeout> > </active-response> > > Despite that, it's not working. Ossec reports the following: > > OSSEC HIDS Notification. > 2012 Mar 07 09:08:16 > > Received From: (plymouth) 192.168.1.2->/var/log/messages > Rule: 40111 fired (level 10) -> "Multiple authentication failures." > Portion of the log(s): > > Mar 7 09:07:44 plymouth ipop3d[29926]: Login failed user=hod auth=hod > host=201-93-132-240.dsl.telesp.net.br [201.93.132.240] > ... > > However, rather than OH invoking repeated-offenders, and blocking the > offender > for 600 seconds, I continue to see the offender make attempts on the host. > > What am I missing here? > > Thanks. > > Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
