not really OSSEC related, but what I've implemented on my server is. PermitRootLogin no in the sshd config and i'm using "Fail2Ban" which blocks all IPs from unsuccessful logins for a certain period of time. I'm sure this can be changed to permanently bans as well.
I can highly recommend Fail2Ban :) Am Mittwoch, 29. Juli 2015 23:44:18 UTC+2 schrieb Ashley Drees: > > Hi Brent. > > Plan was, if anyone logs in from anywhere as root, the source IP should be > blocked permanently and possibly an email sent to the admins as we do not > support root logins anywhere for any reason, so anyone trying to log into > that account is up to no good, this we will repeat for all the usual > suspect accounts, which we do not use for that reason. > > If someone logs in from anywhere as a legitimate user and fails to place > the correct password then at the third fail then they are blocked for 600 > seconds - if they do it again move into > the <repeated_offenders>30,90,120,</repeated_offenders> place. > > As this is my first time with OSSEC, i was looking for <user>!user</user> > kind of statement - but it seems to need trees of logic to make it work. > > On 29 July 2015 at 17:46, Brent Morris <[email protected] <javascript:>> > wrote: > >> Ashley, >> >> Can you provide more details about what you're trying to accomplish? It >> appears that you'd like to use active-response with repeated_offenders - >> but I'm not quite sure. >> >> If the above is correct, then you'd want to set your active-response up >> to match the rules for the alerts you're receiving on invalid logons or >> <match>root</match> >> >> -Brent >> >> On Wednesday, July 29, 2015 at 9:06:41 AM UTC-7, Ashley Drees wrote: >>> >>> Ok, not so much ignore, I am looking for a way to ban permanently any IP >>> that tries to log in as root, but have a short ban for anyone just >>> forgetting the password, fail more than 3 times and they get an increasing >>> delay. >>> >>> Ashley Drees >>> 07956726775 >>> >>> >>> On 29 Jul 2015, at 13:31, Brent Morris <[email protected]> wrote: >>> >>> That won't work... >>> >>> I typically will overwrite an alert level if I want to ignore certain >>> users. >>> >>> http://ossec-docs.readthedocs.org/en/latest/syntax/head_rules.html >>> >>> >>> On Wednesday, July 29, 2015 at 3:09:43 AM UTC-7, Ashley Drees wrote: >>> >>>> can i use <user>!root</user> in a rule to NOT match user root? >>>> >>> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
