Hello, We want to firewall-drop failed logins with SSH after 3 failed passwords. We have the following config in /var/ossec/etc/ossec.conf (OSSEC 2.6) for the commands and active responses:
<command> <name>host-deny</name> <executable>host-deny.sh</executable> <expect>srcip</expect> <timeout_allowed>yes</timeout_allowed> </command> <command> <name>firewall-drop</name> <executable>firewall-drop.sh</executable> <expect>srcip</expect> <timeout_allowed>yes</timeout_allowed> </command> <command> <name>disable-account</name> <executable>disable-account.sh</executable> <expect>user</expect> <timeout_allowed>yes</timeout_allowed> </command> <command> <name>restart-ossec</name> <executable>restart-ossec.sh</executable> <expect></expect> </command> <active-response> <command>restart-ossec</command> <location>local</location> <rules_id>510010</rules_id> </active-response> <active-response> <disabled>no</disabled> <command>host-deny</command> <location>local</location> <rules_id>2502,5720</rules_id> <timeout>1800</timeout> </active-response> <active-response> <disabled>no</disabled> <command>firewall-drop</command> <location>local</location> <rules_id>2502,5720</rules_id> <timeout>1800</timeout> </active-response> 5720 is using 5716 in sshd_rules.xml for multiple failed logins (frequency is 6). I restarted the ossec-hids on the manager and tried logging in with a known and unknown account and with both scenario's the srcip is not being blocked after 6 times within 30 seconds. Am I missing something? We did see that active response is working with 5716 added to the rules list but that means that after one failed login people are being blocked (think about typo scenario's). What am I missing to get active response working for SSH after 6 failed logins per 5 minutes? Michiel