I went with the first option. Works as expected but now I need to adjust
the number of of fails before the ip is blocked.. Where do I do that?
On Monday, March 20, 2017 at 2:56:29 PM UTC-4, The Dude wrote:
>
> I am new to ossec and I am trying to figure out what is the best way to
> change a rule. In the ossec.conf it says this
>
>
>>
>>
>> host-deny
>> local
>> 6
>> 600
>>
>
>
>
>
> I am assuming the level it is referring to is the level set in the
> rule.xml So the sshd_rules.xml has this line.
>
>>
>>
>> 5700
>> ^Failed|^error: PAM: Authentication
>> SSHD authentication failed.
>> authentication_failed,
>
>
>
>
>
> When testing failed ssh logins I see the alert in the alert.log for the
> rule above. How should I go about changing the level to 6 so it will get
> blocked? I tried editing the sshd_rules.xml but get the read only warning.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
