Can you guide me how to turn on active response on my ossec, mine is not even working even I added the code block like you in my ossec.conf
On Friday, September 25, 2020 at 2:40:45 PM UTC+7 lê danh wrote: > oh i did it and it works great, it can block me before i get my password, > thank you so much > > Vào Th 4, 23 thg 9, 2020 vào lúc 18:21 Daniel Folch <daniel...@wazuh.com> > đã viết: > >> Hello, >> >> First, let us start with the active response configuration of the manager >> and agent, the configuration you shared should be used on the manager side, >> and for the agent you just need to set it like this: >> >> <active-response> >> <disabled>no</disabled> >> <ca_store>/var/ossec/etc/wpk_root.pem</ca_store> >> <ca_verification>yes</ca_verification> >> </active-response> >> >> As a side note, the rule 5720 is triggered when the rule 5716 activates 8 >> times in a short period of time, so having both of them in the active >> response is not necessary. >> >> Hydra tests the passwords in the list sequentially and it is really fast >> so if your list only contains few passwords it may be possible for hydra to >> test the correct password from the list before active response can shut >> down the connection form the IP, this should not happen in a real brute >> force attack as the list of passwords would be long enough for active >> response to act in time. A possibility to minimize this phenomenom would be >> to reduce the number of attempts needed before shutting down. >> >> Just to verify could you share the length of the list you are using for >> this test, and if possible could you try running Hydra like this to verify >> that active response is working as intended: >> >> hydra -l agent -x 1:5:aA1 [AGENT_IP] ssh >> >> This will try to test all combinations of lowercase characters, uppercase >> characters, and numbers with a length between 1 and 5, so it should not be >> able to find your password before active response triggers. >> >> Regards, >> Daniel Folch >> >> On Tuesday, September 22, 2020 at 1:07:58 PM UTC+2, conm...@gmail.com >> wrote: >>> >>> Hi everybody >>> I have seen an article about configuring active-response to block SSH >>> bruteforce on https://wazuh.com/blog/blocking-attacks-active-response/ >>> >>> I have configured the direction and added some ssh related rules hoping >>> that it will prevent the attack, but it doesn't work. >>> I configured the following in ossec.conf: >>> <command> >>> <name> firewall-drop </name> >>> <executable> firewall-drop.sh </executable> >>> <expect> srcip </expect> >>> <timeout_allowed> yes </timeout_allowed> >>> </command> >>> >>> <active-response> >>> <command> firewall-drop </command> >>> <location> local </location> >>> <rules_id> 5712,5716,5720 </rules_id> >>> <timeout> 1800 </timeout> >>> </active-response> >>> >>> I still find the password to login after bruteforce, I use the following >>> command to attack: >>> hydra -l agent -P /home/attacker/Desktop/list.txt 192.168.10.2 -t 4 ssh >>> >>> Is there any way the active-response can prevent this >>> thanks everyone >>> >> -- >> >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "ossec-list" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ossec-list/cy2mP6V_zl0/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> ossec-list+...@googlegroups.com. > > >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ossec-list/fc270a22-8c00-4094-a5b5-fed439442598o%40googlegroups.com >> >> <https://groups.google.com/d/msgid/ossec-list/fc270a22-8c00-4094-a5b5-fed439442598o%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/c16c85a3-6783-496d-baf9-fd04e90e1b65n%40googlegroups.com.