bookmark_borderBlocking repeated offenders with OSSEC

By default OSSEC has a static timeout on our active response scripts. You specify the action and how long to block the IP Address:

<active-response>
<command>host-deny</command>
<location>local</location>
<level>6</level>
<timeout>600</timeout>
</active-response>

Which works well for most of the time. However, if you need to increase the timeout for repeated offenders (say the same IP trying to brute force your server all the time), you would have to do this manually.

To solve this problem, we added a new option to the active response config (repeated_offenders):

<active-response>
<repeated_offenders>30,60,120</repeated_offenders>
</active-response>

It allows you to specify a comma separated list of timeouts per re-incidence (in minutes). So the first time an IP is blocked it would use the default timeframe (600 seconds). If it gets blocked again, it would use the first entry in the <repeated_offenders> list (30 minutes = 1800 seconds), then 60 minutes and then 120 minutes… Anything above that would use the latest entry.

To use this option, you have to download the latest snapshot from: http://bitbucket.org/dcid/ossec-hids (just click on get source).