Hello,
First, i'm sorry if the question has already been asked.
So what i'm trying to achieve is this ;
If someone fail to log in, too many time on one of my agent, I want this ip
to be drop on all others agents and the server.
Same goes the other way around if someone try on the server i want it to be
drop on the server and all the agents.
I tried to edit the file ossec.conf on the server and put "*all*' instead
of 'l*ocal*'
<!-- Active Response Config -->
<active-response>
<!-- This response is going to execute the host-deny
- command for every event that fires a rule with
- level (severity) >= 6.
- The IP is going to be blocked for 600 seconds.
-->
<command>host-deny</command>
<location>all</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
<active-response>
<!-- Firewall Drop response. Block the IP for
- 600 seconds on the firewall (iptables,
- ipfilter, etc).
-->
<command>firewall-drop</command>
<location>all</location>
<level>6</level>
<timeout>600</timeout>
</active-response>
If i want to edit the number of failed attempts ssh, which file do I have
to edit. /var/ossec/rules/sshd_rules.xml ?
Thanks for your help,
Best regards.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
