Blocking repeated offenders with OSSEC

By default OSSEC has a static timeout on our active response scripts. You specify the action and how long to block the IP Address:

<active-response>
<command>host-deny</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>

Which works well for most of the time. However, if you need to increase the timeout for repeated offenders (say the same IP trying to brute force your server all the time), you would have to do this manually.

To solve this problem, we added a new option to the active response config (repeated_offenders):

<active-response>
<repeated_offenders>30,60,120</repeated_offenders>
</active-response>

It allows you to specify a comma separated list of timeouts per re-incidence (in minutes). So the first time an IP is blocked it would use the default timeframe (600 seconds). If it gets blocked again, it would use the first entry in the <repeated_offenders> list (30 minutes = 1800 seconds), then 60 minutes and then 120 minutes… Anything above that would use the latest entry.

To use this option, you have to download the latest snapshot from: http://bitbucket.org/dcid/ossec-hids (just click on get source).

This entry was posted in ossec, v2.6. Bookmark the permalink.

4 Responses to Blocking repeated offenders with OSSEC

  1. Chris says:

    Nice. I guess I’ll have to start using your snapshots. Thanks so much for your work.

  2. Mark says:

    Invaluable work Daniel – many thanks.

  3. Pingback: [SOLVED] OSSEC repeated offenders ignored

  4. http://www.mebsd.com/freebsd-security-hardening/solved-ossec-repeated-offenders-ignored.html

    Can the repeat offenders be set up for working on the ossec server where the agents obey the server settings so each agent configuration doesn’t have to be edited?

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>