Hi Dan, I have put in my ossec.conf agent side: I have read your old message on newsgroup with suggest to put ths in 'agent side'
<active-response> <repeated_offenders>60,120,480</repeated_offenders> </active-response> it's too early for now, but seems work... Thank you.. Il giorno ven 2 nov 2018 alle ore 11:54 dan (ddp) <ddp...@gmail.com> ha scritto: > On Thu, Nov 1, 2018 at 5:22 AM Giorgio Biondi <biondi.gior...@gmail.com> > wrote: > > > > Hi at all, > > > > it seems that "repeat offenders" do not work, at least in server-agent > configuration. I have an ossec server with 10 agents. Below is an excerpt > of the configuration ossec.conf on the server - I repeated attacks by an ip > (it is not what you see obviously I put a ip intentionally non-existent) > and the ossec agent continues to cancel the defense every 10 minutes as if > it were not configured the "repeat offenders" .. where am I wrong? > > > > I believe the repeated_offenders setting needs to be on the agent, not > the server? Something like that. > It's been a while since I used it. > > > > > extract from my ossec.conf > > > > <!-- Active Response Config --> > > <active-response> > > <!-- This response is going to execute the host-deny > > - command for every event that fires a rule with > > - level (severity) >= 6. > > - The IP is going to be blocked for 600 seconds. > > --> > > <command>host-deny</command> > > <location>all</location> > > <level>6</level> > > <timeout>600</timeout> > > <repeated_offenders>60,120,480</repeated_offenders> > > </active-response> > > > > <active-response> > > <!-- Firewall Drop response. Block the IP for > > - 600 seconds on the firewall (iptables, > > - ipfilter, etc). > > --> > > <command>firewall-drop</command> > > <location>all</location> > > <level>6</level> > > <timeout>600</timeout> > > <repeated_offenders>60,120,480</repeated_offenders> > > </active-response> > > > > > > -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ossec-list/yfd5QYz4CFc/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
