[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-list] Re: How to disable IP's trying brute force? Error Alert 10
- To: ossec-list@xxxxxxxxxxxxxxxx
- Subject: [ossec-list] Re: How to disable IP's trying brute force? Error Alert 10
- From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
- Date: Thu, 17 May 2007 18:53:44 -0300
- Cc: ossec-list@xxxxxxxxx
- Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=eVdYejT+/vxPQuFt9bFL9w+Ta1mkcvslvkwVemuc9JrLTxA/wRoBvwPxJdpCcWzFTlZqpT96bJ/NQswRAPc+dcFmSaa9AhIcfXrpIOzoKkvf07+J/7G+i3jWXgvtm1FBCxLEQd1Izuvvs5eFaJYzcJZtvTZJb9wjYMpSbJ3SJhc=
Hi Thorne,
You are right, ossec will by default block the ip address for only a limited
period of time. Check at /var/ossec/logs/active-response.log for a list
of IP addresses that were blocked.
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 5/16/07, Thorne Lawler <Thorne.Lawler@xxxxxxxxxxxxx> wrote:
>
> Deltamails,
>
> Active Response may already be doing this for you. Check out the active
> response log.
>
> By default, Active Response only locks out an IP for five minutes, then
> re-enables it. You can extend this by increasing the appropriate value
> from 300 in ossec.conf.
>
> You could probably arrange it so that the list of blocked IPs only ever
> grows, and never unblocks them, but I can't get at my OSSEC machine right
> now to verify how.
>
> ...probably should have just shut up and let Daniel answer. :-)
>
> --
> Thorne Lawler
>
> Technical Consultant
> ICT Outsourcing Services | Infrastructure Services | Unix Storage and
> Delivery
> KAZ Group Pty Ltd
> 360 Elizabeth Street | Melbourne Victoria 3000
> (03) 9631 1747 | 0408 491 552 | Fax: (03) 9654 7334
> thorne.lawler@xxxxxxxxxxxxx | www.kaz-group.com
> --------------------------------------------------------------------------------
> This communication may contain confidential information and/or copyright
> material of KAZ Group Pty Ltd ABN 25 002 124 405 and its related bodies
> corporate. It may also be the subject of legal professional privilege. If
> you
> are not an intended recipient, you must not keep, forward, copy, use, save
> or
> rely on this communication and any such action is unauthorised and
> prohibited.
> If you have received this communication in error, please reply to this
> e-mail to
> notify the sender of its incorrect delivery, and then delete both it and
> your
> reply
>
>
>
>
> deltamails@xxxxxxxxx
> Sent by: ossec-list@xxxxxxxxxxxxxxxx
> 17/05/2007 08:32 AM
> Please respond to
> ossec-list@xxxxxxxxxxxxxxxx
>
>
> To
> ossec-list@xxxxxxxxx
> cc
>
> Subject
> [ossec-list] How to disable IP's trying brute force? Error Alert 10
>
>
>
>
>
>
> I am getting brute force detection alerts. Is it possible to block the IP
> which try more then 5 bad login attempts?
>
> Thanks
>
>
> This communication may contain confidential information and/or copyright material of KAZ Group Pty Ltd ABN 25 002 124 405 and its related bodies corporate. It may also be the subject of legal professional privilege. If you are not an intended recipient, you must not keep, forward, copy, use, save or rely on this communication and any such action is unauthorised and prohibited. If you have received this communication in error, please reply to this e-mail to notify the sender of its incorrect delivery, and then delete both it and your reply.
>
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.