Announcement

Collapse
No announcement yet.

How to block severity 5 incidents?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to block severity 5 incidents?

    Im testing Immunify360 and note that it disables and replaces fail2ban. I like the herd immunity concept but am troubled by repeated login attempts with false usernames not getting added to the grey list. These incidents are listed with a severity level of 5.
    I appreciate you are much smarter at detecting malicious actors than fail2ban, but still I would be happier if I could add these to the grey list, just as fail2ban would block them. My previous fail2ban setup would have locked these out.

    I have changed the immunify260 config file to include
    MOD_SEC_BLOCK_BY_SEVERITY:
    check_period: 630
    denied_num_limit: 2
    enable: true
    max_incidents: 2
    severity_limit: 5

    However still incidents with more than 2 attempts within the check period are not being grey listed.
    Have I misunderstood the meaning of these variables?
    Is this not possible in immunify360?

    Thank you in advance
Working...
X