A great example of a “slow” brute force attack #ossec

The last couple of days a lot of malicious servers got caught by my Ossec HIDS/IPS and have been send to my iptables jail. However, I’ve been seeing one host (185.93.185.239) evading my traps for days. It has been nocking on my door in a slow pace, slow enough not to trigger a brute force detection (causing six events in a small period of time).

So I changed the brute force detection window to 86400 seconds, to see if that helps.

The result:

image

He got caught and went to jail 🙂

iptables -L

image

Leave a Reply

Your email address will not be published. Required fields are marked *