On Jul 29, 2015 5:44 PM, "Ashley Drees" <ashle...@gmail.com> wrote:
>
> Hi Brent.
>
> Plan was, if anyone logs in from anywhere as root, the source IP should be blocked permanently and possibly an email sent to the admins as we do not support root logins anywhere for any reason, so anyone trying to log into that account is up to no good, this we will repeat for all the usual suspect accounts, which we do not use for that reason.
>
> If someone logs in from anywhere as a legitimate user and fails to place the correct password then at the third fail then they are blocked for 600 seconds - if they do it again move into the <repeated_offenders>30,90,120,</repeated_offenders> place.
>
> As this is my first time with OSSEC, i was looking for <user>!user</user> kind of statement - but it seems to need trees of logic to make it work.
>
This would be great functionality to have, and we'd love to see a patch: github.com/ossec/ossec-hids
But yeah, the way to solve it is to create a child rule looking only for root logins and treat that differently than the parent.
> On 29 July 2015 at 17:46, Brent Morris <brent....@gmail.com> wrote:
>>
>> Ashley,
>>
>> Can you provide more details about what you're trying to accomplish? It appears that you'd like to use active-response with repeated_offenders - but I'm not quite sure.
>>
>> If the above is correct, then you'd want to set your active-response up to match the rules for the alerts you're receiving on invalid logons or <match>root</match>
>>
>> -Brent
>>
>> On Wednesday, July 29, 2015 at 9:06:41 AM UTC-7, Ashley Drees wrote:
>>>
>>> Ok, not so much ignore, I am looking for a way to ban permanently any IP that tries to log in as root, but have a short ban for anyone just forgetting the password, fail more than 3 times and they get an increasing delay.
>>>
>>> Ashley Drees
>>> 07956726775
>>>
>>>
>>> On 29 Jul 2015, at 13:31, Brent Morris <brent....@gmail.com> wrote:
>>>
>>>> That won't work...
>>>>
>>>> I typically will overwrite an alert level if I want to ignore certain users.
>>>>
>>>> http://ossec-docs.readthedocs.org/en/latest/syntax/head_rules.html
>>>>
>>>>
>>>> On Wednesday, July 29, 2015 at 3:09:43 AM UTC-7, Ashley Drees wrote:
>>>>>
>>>>> can i use <user>!root</user> in a rule to NOT match user root?
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.