How to block severity 5 incidents?

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • pwill
    Junior Member
    Forum Explorer
    • Mar 2021
    • 24

    #1

    How to block severity 5 incidents?

    Im testing Immunify360 and note that it disables and replaces fail2ban. I like the herd immunity concept but am troubled by repeated login attempts with false usernames not getting added to the grey list. These incidents are listed with a severity level of 5.
    I appreciate you are much smarter at detecting malicious actors than fail2ban, but still I would be happier if I could add these to the grey list, just as fail2ban would block them. My previous fail2ban setup would have locked these out.

    I have changed the immunify260 config file to include
    MOD_SEC_BLOCK_BY_SEVERITY:
    check_period: 630
    denied_num_limit: 2
    enable: true
    max_incidents: 2
    severity_limit: 5

    However still incidents with more than 2 attempts within the check period are not being grey listed.
    Have I misunderstood the meaning of these variables?
    Is this not possible in immunify360?

    Thank you in advance
Working...