max ssh connection attempts

[llehirgen]

I installed OSSEC HIDS in a Ubuntu 18.04 LTS server in a Virtualbox virtual machine, for testing purposes.

After OSSEC I installed fail2ban and started to test it.

fail2ban is configured by me for banning an IP after 4 wrong login attempts via ssh.

So, I tried to ssh connect to my server from another virtual machine, and after 3 attempts (not 4) I was disconnected and apparently banned for about 600 seconds.

Now, I wondering what could be happened.

It cannot be fail2ban to have banned me, because fail2ban registered only 2 attempts and did not ban me.

Is it perhaps OSSEC configured by default to ban an IP after 3 wrong ssh login attempts?

I could not find documentation.

I noticed that fail2ban enters into play only if there is long time between two failed ssh login attempts.

[José Manuel López del Río]

Hello llehirgen,

OSSEC has the functionality of blocking an IP after a specific number of failed attempts. This functionality is performed using the active-response capabillity https://www.ossec.net/docs/syntax/head_ossec_config.active-response.html#active-response-block-a-srcip. The link shared is regarding a specific block from the OSSEC documentation that is performing something similar to what you are experiencing:, blocking an IP if a rule within the groups specified is triggered. Could you make sure that you do not have any active response stanza similar to that one in your configuration file found at /var/ossec/etc/osse.conf by default?

I hope this helps.