Hello, Thank you for your answer.
I modified the Active-Response in the file /var/ossec/etc/ossec.conf to look like this; <!-- Active Response Config --> <active-response> <!-- This response is going to execute the host-deny - command for every event that fires a rule with - level (severity) >= 6. - The IP is going to be blocked for 600 seconds. --> <command>host-deny</command> <location>all</location> <level>6</level> <timeout>600</timeout> </active-response> <active-response> <!-- Firewall Drop response. Block the IP for - 600 seconds on the firewall (iptables, - ipfilter, etc). --> <command>firewall-drop</command> <location>all</location> <level>6</level> <timeout>600</timeout> </active-response> Then i added the following in /var/ossec/rules/local_rules.xml <group name="syslog,sshd,"> <rule id="5712" level="10" frequency="3" timeframe="120" ignore="60" overwrite="yes"> <if_matched_sid>5710</if_matched_sid> <description>SSHD brute force trying to get access to </description> <description>the system.</description> <same_source_ip /> <group>authentication_failures,</group> </rule> <rule id="5720" level="10" frequency="3" overwrite="yes"> <if_matched_sid>5716</if_matched_sid> <same_source_ip /> <description>Multiple SSHD authentication failures.</description> <group>authentication_failures,</group> </rule> </group> and finally restarted ossec-control, but it ain't working. I can still try to log after 6 attempts .. Le mercredi 15 mars 2017 19:01:37 UTC+1, dan (ddpbsd) a écrit : > > On Wed, Mar 15, 2017 at 7:25 AM, Martin <mart...@gmail.com <javascript:>> > wrote: > > Hello, > > > > First, i'm sorry if the question has already been asked. > > > > So what i'm trying to achieve is this ; > > > > If someone fail to log in, too many time on one of my agent, I want this > ip > > to be drop on all others agents and the server. > > > > Same goes the other way around if someone try on the server i want it to > be > > drop on the server and all the agents. > > > > I tried to edit the file ossec.conf on the server and put "all' instead > of > > 'local' > > > > > > <!-- Active Response Config --> > > <active-response> > > <!-- This response is going to execute the host-deny > > - command for every event that fires a rule with > > - level (severity) >= 6. > > - The IP is going to be blocked for 600 seconds. > > --> > > <command>host-deny</command> > > <location>all</location> > > <level>6</level> > > <timeout>600</timeout> > > </active-response> > > > > > > <active-response> > > <!-- Firewall Drop response. Block the IP for > > - 600 seconds on the firewall (iptables, > > - ipfilter, etc). > > --> > > <command>firewall-drop</command> > > <location>all</location> > > <level>6</level> > > <timeout>600</timeout> > > </active-response> > > > > If i want to edit the number of failed attempts ssh, which file do I > have to > > edit. /var/ossec/rules/sshd_rules.xml ? > > > > You can copy the rule you want to modify to local_rules.xml, and add: > overwrite="yes" > to the "<rule" line. > > > > > Thanks for your help, > > Best regards. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.