[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: How to disable IP's trying brute force? Error Alert 10

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: How to disable IP's trying brute force? Error Alert 10
From: Thorne Lawler <Thorne.Lawler@xxxxxxxxxxxxx>
Date: Thu, 17 May 2007 09:26:55 +1000
Cc: ossec-list@xxxxxxxxxxxxxxxx, ossec-list@xxxxxxxxx

Deltamails,

Active Response may already be doing this for you. Check out the active
response log.

By default, Active Response only locks out an IP for five minutes, then
re-enables it. You can extend this by increasing the appropriate value
from 300 in ossec.conf.

You could probably arrange it so that the list of blocked IPs only ever
grows, and never unblocks them, but I can't get at my OSSEC machine right
now to verify how.

...probably should have just shut up and let Daniel answer. :-)

--
Thorne Lawler

Technical Consultant
ICT Outsourcing Services | Infrastructure Services | Unix Storage and
Delivery
KAZ Group Pty Ltd
360 Elizabeth Street | Melbourne Victoria 3000
(03) 9631 1747 | 0408 491 552 | Fax: (03) 9654 7334
thorne.lawler@xxxxxxxxxxxxx | www.kaz-group.com
--------------------------------------------------------------------------------
This communication may contain confidential information and/or copyright
material of KAZ Group Pty Ltd ABN 25 002 124 405 and its related bodies
corporate. It may also be the subject of legal professional privilege. If
you
are not an intended recipient, you must not keep, forward, copy, use, save
or
rely on this communication and any such action is unauthorised and
prohibited.
If you have received this communication in error, please reply to this
e-mail to
notify the sender of its incorrect delivery, and then delete both it and
your
reply

deltamails@xxxxxxxxx
Sent by: ossec-list@xxxxxxxxxxxxxxxx
17/05/2007 08:32 AM
Please respond to
ossec-list@xxxxxxxxxxxxxxxx

To
ossec-list@xxxxxxxxx
cc

Subject
[ossec-list] How to disable IP's trying brute force? Error Alert 10

I am getting brute force detection alerts. Is it possible to block the IP
which try more then 5 bad login attempts?

Thanks

This communication may contain confidential information and/or copyright material of KAZ Group Pty Ltd ABN 25 002 124 405 and its related bodies corporate. It may also be the subject of legal professional privilege. If you are not an intended recipient, you must not keep, forward, copy, use, save or rely on this communication and any such action is unauthorised and prohibited. If you have received this communication in error, please reply to this e-mail to notify the sender of its incorrect delivery, and then delete both it and your reply.

Follow-Ups:
- [ossec-list] Re: How to disable IP's trying brute force? Error Alert 10
  - From: Daniel Cid

Prev by Date: [ossec-list] How to disable IP's trying brute force? Error Alert 10
Next by Date: [ossec-list] Ossec using 890k handles in windows
Previous by thread: [ossec-list] How to disable IP's trying brute force? Error Alert 10
Next by thread: [ossec-list] Re: How to disable IP's trying brute force? Error Alert 10
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.