Hi everybody I have seen an article about configuring active-response to block SSH bruteforce on https://wazuh.com/blog/blocking-attacks-active-response/
I have configured the direction and added some ssh related rules hoping that it will prevent the attack, but it doesn't work. I configured the following in ossec.conf: <command> <name> firewall-drop </name> <executable> firewall-drop.sh </executable> <expect> srcip </expect> <timeout_allowed> yes </timeout_allowed> </command> <active-response> <command> firewall-drop </command> <location> local </location> <rules_id> 5712,5716,5720 </rules_id> <timeout> 1800 </timeout> </active-response> I still find the password to login after bruteforce, I use the following command to attack: hydra -l agent -P /home/attacker/Desktop/list.txt 192.168.10.2 -t 4 ssh Is there any way the active-response can prevent this thanks everyone -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/919fa86d-af1c-48ce-89bd-dda04d7ced41n%40googlegroups.com.