Hello,
First, let us start with the active response configuration of the manager
and agent, the configuration you shared should be used on the manager side,
and for the agent you just need to set it like this:
<active-response>
<disabled>no</disabled>
<ca_store>/var/ossec/etc/wpk_root.pem</ca_store>
<ca_verification>yes</ca_verification>
</active-response>
As a side note, the rule 5720 is triggered when the rule 5716 activates 8
times in a short period of time, so having both of them in the active
response is not necessary.
Hydra tests the passwords in the list sequentially and it is really fast so
if your list only contains few passwords it may be possible for hydra to
test the correct password from the list before active response can shut
down the connection form the IP, this should not happen in a real brute
force attack as the list of passwords would be long enough for active
response to act in time. A possibility to minimize this phenomenom would be
to reduce the number of attempts needed before shutting down.
Just to verify could you share the length of the list you are using for
this test, and if possible could you try running Hydra like this to verify
that active response is working as intended:
hydra -l agent -x 1:5:aA1 [AGENT_IP] ssh
This will try to test all combinations of lowercase characters, uppercase
characters, and numbers with a length between 1 and 5, so it should not be
able to find your password before active response triggers.
Regards,
Daniel Folch
On Tuesday, September 22, 2020 at 1:07:58 PM UTC+2, conm...@gmail.com wrote:
>
> Hi everybody
> I have seen an article about configuring active-response to block SSH
> bruteforce on https://wazuh.com/blog/blocking-attacks-active-response/
>
> I have configured the direction and added some ssh related rules hoping
> that it will prevent the attack, but it doesn't work.
> I configured the following in ossec.conf:
> <command>
> <name> firewall-drop </name>
> <executable> firewall-drop.sh </executable>
> <expect> srcip </expect>
> <timeout_allowed> yes </timeout_allowed>
> </command>
>
> <active-response>
> <command> firewall-drop </command>
> <location> local </location>
> <rules_id> 5712,5716,5720 </rules_id>
> <timeout> 1800 </timeout>
> </active-response>
>
> I still find the password to login after bruteforce, I use the following
> command to attack:
> hydra -l agent -P /home/attacker/Desktop/list.txt 192.168.10.2 -t 4 ssh
>
> Is there any way the active-response can prevent this
> thanks everyone
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ossec-list/fc270a22-8c00-4094-a5b5-fed439442598o%40googlegroups.com.
