On Mon, Jan 14, 2013 at 8:51 AM, Michiel van Es <vanesmich...@gmail.com> wrote: > Hello, > > We want to firewall-drop failed logins with SSH after 3 failed passwords. > We have the following config in /var/ossec/etc/ossec.conf (OSSEC 2.6) for > the commands and active responses: > > > <command> > <name>host-deny</name> > <executable>host-deny.sh</executable> > <expect>srcip</expect> > <timeout_allowed>yes</timeout_allowed> > </command> > > <command> > <name>firewall-drop</name> > <executable>firewall-drop.sh</executable> > <expect>srcip</expect> > <timeout_allowed>yes</timeout_allowed> > </command> > > <command> > <name>disable-account</name> > <executable>disable-account.sh</executable> > <expect>user</expect> > <timeout_allowed>yes</timeout_allowed> > </command> > > <command> > <name>restart-ossec</name> > <executable>restart-ossec.sh</executable> > <expect></expect> > </command> > > <active-response> > <command>restart-ossec</command> > <location>local</location> > <rules_id>510010</rules_id> > </active-response> > > <active-response> > <disabled>no</disabled> > <command>host-deny</command> > <location>local</location> > <rules_id>2502,5720</rules_id> > <timeout>1800</timeout> > </active-response> > > <active-response> > <disabled>no</disabled> > <command>firewall-drop</command> > <location>local</location> > <rules_id>2502,5720</rules_id> > <timeout>1800</timeout> > </active-response> > > 5720 is using 5716 in sshd_rules.xml for multiple failed logins (frequency > is 6). > I restarted the ossec-hids on the manager and tried logging in with a known > and unknown account and with both scenario's the srcip is not being blocked > after 6 times within 30 seconds. > > Am I missing something?
frequency=6 means 8 attempts. > We did see that active response is working with 5716 added to the rules list > but that means that after one failed login people are being blocked (think > about typo scenario's). > > What am I missing to get active response working for SSH after 6 failed > logins per 5 minutes? > > Michiel