Rule Wazuh

[Lucas Veríssimo]

Hello, gentlemen, I would like to know how to make a rule in Wazuh in which, after 5 failed login attempts via SSH, Wazuh can identify and block this source IP via IPtables. What is needed?

without using the existing rules, as they use many other rules together, I wanted to make a rule just for that.

I'm trying to create the rule like this, one to identify the access failure, and the other to identify and block the source IP. But it gives an error.

What are the steps I have to take, please help me.

<group name="custom_rules">
    <rule id="100100" level="7">
        <decoded_as>sshd</decoded_as>
        <match>Failed password</match>
        <same_srcip/>
        <description>Usuário falhou ao autenticar via SSH.</description>
        <group>authentication_failed,ssh,</group>
    </rule>

    <rule id="100101" level="15">
        <if_matched_sid>100100</if_matched_sid>
        <timeframe>60</timeframe>
        <occurrences>5</occurrences>
        <description>IP bloqueado após 5 falhas de autenticação SSH.</description>
        <group>ssh,authentication_blocked,critical_alert,</group>
    </rule>
</group>

[eduard...@wazuh.com]

Hi Lucas,

Let me replicate this and I will get back to you as soon as possible.

[Jorge Eduardo Silva Jackson]

Hi Lucas, 

To implement automatic blocking of SSH brute-force attempts, using a custom rule and active response in Wazuh, here’s a working configuration that I tested successfully: 

1. Create two custom rules in your local_rules.xml file
   
   <rule id="100100" level="5">
     <if_sid>5760</if_sid>
     <match>Failed password</match>
     <description>SSH failed login attempt etected</description>
     <group>authentication_failed,sshd</group>
   </rule>
   
   <rule id="100101" level="10" frequency="5" timeframe="60" ignore="60">
     <if_matched_sid>100100</if_matched_sid>
     <same_source_ip />
     <description>sshd: more than 5 authentication failures.</description>
     <group>authentication_failed,sshd</group>
   </rule>
   
   These rules, detect 5 failed SSH login attempts from the same IP, within 60 seconds, and trigger an alert (with 60 seconds of cooldown using ignore).
   
   
2. Enable the firewall-drop command in your Wazuh Manager’s ossec.conf:
   
   <command>
     <name>firewall-drop</name>
     <executable>firewall-drop</executable>
     <timeout_allowed>yes</timeout_allowed>
   </command>
   
   
3. Ensure the file /var/ossec/active-response/bin/firewall-drop exists and is executable (chmod +x).

3. Configure the active response for the custom rule ID:
   
   <active-response>
     <command>firewall-drop</command>
     <location>local</location>
     <rules_id>100101</rules_id>
   </active-response>

4. Restart the Wazuh Manager to apply the changes:
   sudo systemctl restart wazuh-manager

5. Generate failed SSH login attempts from a test machine. Example logs collected in /var/log/auth.log:
   
   sshd[541802]: Failed password for esilva from 192.168.122.209 port 36920 ssh2
   sshd[541802]: Failed password for esilva from 192.168.122.209 port 36920 ssh2 
   ....
   ....
   sshd[542335]: Failed password for esilva from 192.168.122.209 port 55022 ssh2

6. After 5 failed attempts, Wazuh triggered the active response and executed the iptables DROP command automatically on the local host:
   
   sudo iptables -L -n | grep DROP
   DROP all -- 192.168.122.209 0.0.0.0/0

This confirms the setup is working as intended: detection + correlation + mitigation.

I hope this helps you implement the feature successfully.
Feel free to reach out if you have any questions or need further guidance.

On Thursday, May 15, 2025 at 3:02:18 PM UTC-6 Lucas Veríssimo wrote:

[Lucas Veríssimo]

Obrigado demais Jorge Eduardo, funcionou como eu queria.
Já aproveitando, teria como o próprio Wazuh desbloquear depois de 1h por exemplo, os mesmos ips que ele bloqueou nesta ação?
E também fazer um gráfico mostrando os ips que estão sendo bloqueados e outro gráfico com os ips que estão sendo desbloqueados?

[Jorge Eduardo Silva Jackson]

​Hi Lucas,

Thank you for your message — I’m really glad to hear it worked as expected!

Just a quick note: while I understand Portuguese, all communication in the Wazuh Community must be in English, as per our contribution guidelines. This helps ensure everyone on the team and community can follow along and assist when needed.

Thanks for your understanding​.

​Now. to confirm your questions:

1. You're asking if Wazuh can ​automatically unblock the same IP addresses it blocks (e.g., after 1 hour).
2. You're also asking if it's possible to ​generate a graph that shows which IPs are being blocked and another for unblocked IPs.

Let me address both points below.

1. Yes​, Wazuh can automatically unblock IPs after a set amount of time using the `timeout` option in the ​<active-response> configuration.

Here’s how to configure it in your `ossec.conf` (on the Manager):

<active-response>
  <command>firewall-drop</command>
​   --- previous code ---
​  <timeout>3600</timeout> <!-- 3600 seconds = 1 hour -->
</active-response>

​Wazuh will internally track the IPs it has blocked and automatically run the firewalldrop undo script to remove the corresponding iptables rule after 1 hour (30 seconds in my test).

​ADD iptables block rule log:

"full_log": "2025/05/21 14:54:10 active-response/bin/firewall-drop: {\"version\":1,\"origin\":{\"name\":\"node01\",\"module\":\"wazuh-execd\"},\"command\":\"add\",\"parameters\":{\"extra_args\":[],\"alert\":{\"timestamp\":\"2025-05-21T20:54:10.922+0000\",\"rule\":{\"level\":10,\"description\":\"sshd: more than 5 authentication failures.\",\"id\":\"100101\",\"frequency\":8,\"firedtimes\":1,\"mail\":false,\"groups\":[\"local\",\"syslog\",\"sshd\",\"authentication_failed\",\"sshd\"]},\"agent\":{\"id\":\"001\",\"name\":\"WS-UY-PC001\",\"ip\":\"172.18.0.1\"},\"manager\":{\"name\":\"wazuh.manager\"},\"id\":\"1747860850.917610\",\"previous_output\":\"May 21 20:54:06 WS-UY-PC001 sshd[364447]: Failed password for esilva from 192.168.122.209 port 59614 ssh2\\nMay 21 20:53:58 WS-UY-PC001 sshd[364194]: Failed password for esilva from 192.168.122.209 port 57018 ssh2\\nMay 21 20:53:53 WS-UY-PC001 sshd[364194]: Failed password for esilva from 192.168.122.209 port 57018 ssh2\\nMay 21 20:53:51 WS-UY-PC001 sshd[364194]: Failed password for esilva from 192.168.122.209 port 57018 ssh2\\nMay 21 20:53:44 WS-UY-PC001 sshd[363823]: Failed password for esilva from 192.168.122.209 port 46380 ssh2\\nMay 21 20:53:39 WS-UY-PC001 sshd[363823]: Failed password for esilva from 192.168.122.209 port 46380 ssh2\\nMay 21 20:53:38 WS-UY-PC001 sshd[363823]: Failed password for esilva from 192.168.122.209 port 46380 ssh2\",\"full_log\":\"May 21 20:54:10 WS-UY-PC001 sshd[364447]: Failed password for esilva from 192.168.122.209 port 59614 ssh2\",\"predecoder\":{\"program_name\":\"sshd\",\"timestamp\":\"May 21 20:54:10\",\"hostname\":\"WS-UY-PC001\"},\"decoder\":{\"parent\":\"sshd\",\"name\":\"sshd\"},\"data\":{\"srcip\":\"192.168.122.209\",\"srcport\":\"59614\",\"dstuser\":\"esilva\"},\"location\":\"journald\"},\"program\":\"active-response/bin/firewall-drop\"}}",

​DELETE iptables block rule log:

"full_log": "2025/05/21 14:54:41 active-response/bin/firewall-drop: {\"version\":1,\"origin\":{\"name\":\"node01\",\"module\":\"wazuh-execd\"},\"command\":\"delete\",\"parameters\":{\"extra_args\":[],\"alert\":{\"timestamp\":\"2025-05-21T20:54:10.922+0000\",\"rule\":{\"level\":10,\"description\":\"sshd: more than 5 authentication failures.\",\"id\":\"100101\",\"frequency\":8,\"firedtimes\":1,\"mail\":false,\"groups\":[\"local\",\"syslog\",\"sshd\",\"authentication_failed\",\"sshd\"]},\"agent\":{\"id\":\"001\",\"name\":\"WS-UY-PC001\",\"ip\":\"172.18.0.1\"},\"manager\":{\"name\":\"wazuh.manager\"},\"id\":\"1747860850.917610\",\"previous_output\":\"May 21 20:54:06 WS-UY-PC001 sshd[364447]: Failed password for esilva from 192.168.122.209 port 59614 ssh2\\nMay 21 20:53:58 WS-UY-PC001 sshd[364194]: Failed password for esilva from 192.168.122.209 port 57018 ssh2\\nMay 21 20:53:53 WS-UY-PC001 sshd[364194]: Failed password for esilva from 192.168.122.209 port 57018 ssh2\\nMay 21 20:53:51 WS-UY-PC001 sshd[364194]: Failed password for esilva from 192.168.122.209 port 57018 ssh2\\nMay 21 20:53:44 WS-UY-PC001 sshd[363823]: Failed password for esilva from 192.168.122.209 port 46380 ssh2\\nMay 21 20:53:39 WS-UY-PC001 sshd[363823]: Failed password for esilva from 192.168.122.209 port 46380 ssh2\\nMay 21 20:53:38 WS-UY-PC001 sshd[363823]: Failed password for esilva from 192.168.122.209 port 46380 ssh2\",\"full_log\":\"May 21 20:54:10 WS-UY-PC001 sshd[364447]: Failed password for esilva from 192.168.122.209 port 59614 ssh2\",\"predecoder\":{\"program_name\":\"sshd\",\"timestamp\":\"May 21 20:54:10\",\"hostname\":\"WS-UY-PC001\"},\"decoder\":{\"parent\":\"sshd\",\"name\":\"sshd\"},\"data\":{\"srcip\":\"192.168.122.209\",\"srcport\":\"59614\",\"dstuser\":\"esilva\"},\"location\":\"journald\"},\"program\":\"active-response/bin/firewall-drop\"}}",

​2. About building dashboards for blocked and unblocked IPs, 

I’m afraid that falls outside my current scope and the original topic of this thread.

To make sure your request gets the right attention, I kindly invite you to open a new thread specifically for that topic. The team will be happy to assist you as soon as possible.

Thanks again for your kind message and engagement

​Best regards.