Hello,
We want to firewall-drop failed logins with SSH after 3 failed passwords.
We have the following config in /var/ossec/etc/ossec.conf (OSSEC 2.6) for
the commands and active responses:
<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>disable-account</name>
<executable>disable-account.sh</executable>
<expect>user</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>restart-ossec</name>
<executable>restart-ossec.sh</executable>
<expect></expect>
</command>
<active-response>
<command>restart-ossec</command>
<location>local</location>
<rules_id>510010</rules_id>
</active-response>
<active-response>
<disabled>no</disabled>
<command>host-deny</command>
<location>local</location>
<rules_id>2502,5720</rules_id>
<timeout>1800</timeout>
</active-response>
<active-response>
<disabled>no</disabled>
<command>firewall-drop</command>
<location>local</location>
<rules_id>2502,5720</rules_id>
<timeout>1800</timeout>
</active-response>
5720 is using 5716 in sshd_rules.xml for multiple failed logins (frequency
is 6).
I restarted the ossec-hids on the manager and tried logging in with a known
and unknown account and with both scenario's the srcip is not being blocked
after 6 times within 30 seconds.
Am I missing something?
We did see that active response is working with 5716 added to the rules
list but that means that after one failed login people are being blocked
(think about typo scenario's).
What am I missing to get active response working for SSH after 6 failed
logins per 5 minutes?
Michiel
