Set level 7 for rule 60903 and for rule 60910, frequency was set to 5 (timeframe left at 60). The IP addresses used were not found in the ossec active-responses.log. There were several more prolonged attempts overnight from 4 different IP addresses, non were blocked, they all attempted more than 5 times in 60 seconds.
Can supply more specific log info if required.

yeah that would be awesome, shoot it to support@atomicorp.com (or anything else like this) and I'll see what we can come up with.

Hi, any update on rules to stop checkmailpasswd/LOGIN FAILED? Am manually adding IP's to blacklist, but attempts are filling up logs every other day as they are not detected.

Yes, its implemented in the 3.0 branch now

Great! Thanks for update: 3.0 still in testing repo?

Yeah still in the testing repo, we're wrapping up on some rule management code right now.

3.0 is actually pretty stable if you want to give it a try. We are running it on all our system now.

Its still in testing because we are still adding/finishing up a whole new feature, the rule manager. You will be able to change all the rules from the GUI, their action, enable/disable (per vhost too), etc. etc. The rule manager will expand in the 3.x tree as well.

But all the 2.x features work now in 3.x.

Hello all,

have been following this thread closely.

Sorry if this seems a stupid question but after getting a constant spate of these checkmailpasswd attempts I would like to do something about this.

Can anyone give me simple pointers on how to create a rule to ban an IP thats fails password say 3 times for a password ?

This is from the person who just discovered that if you double click on some items you can get more information ;0)

Thanks

Yeah its fully implemented in ASL 3.0 now. Release candidate should be out very soon

Ah good stuff, when you say release candidate - would this be suitable for putting on a production server ?

Yeah this is the last phase before it goes GA. A release candidate is generally something being evaluated for a final release as is.

Sounds good - sorry not wanting to take this off topic but on the this new version will there be an option to ban anything that tries to connect as "UNKNOWN"

I get this in my block list on occasion and Im not sure if asl is handling this or not as I dont think its can add "UNKNOWN" to the block list.

Sorry apologies if I am veering away from the beaten track ;0)

Yes it should, but if it doesnt there is now a "Report False Negative" button that sends us exactly what we need to craft a rule update. What I do is search for all the 1002 event ids (this is a generic rule that catches things like failure, or unknown; and report those. This is just like the report false positive system we use for the WAF, but expanded to let you report the anomalies to us for rule updates.

Right thats sounds very useful indeed - I presume someone / thing connecting as UNKNOWN should be blocked off ?

This new release is sounding good - anything I can just install and set is fine by me - takes alot of the hassle away by an infinite amount!!

Cheers Scott looking forward to the new release!!

Yup, and if it doesnt hit that Report False Negative button and we'll have an update out probably the same day.