CompTIA Server+ SK0-005 Practice Question
A Linux application server was recently configured with a host-based intrusion detection system (OSSEC/Wazuh). Since the change, nightly SCP backup jobs from three designated backup servers fail intermittently with a Connection timed out message. A review of the IDS logs on app01 shows repeated alerts such as:
** Alert 123456789.1234: - syslog,authentication_failed
2025-08-25 02:15:23 (app01) 192.168.50.10->sshd
Rule: 5716 (level 5) - "SSHD scan"
Src IP: 10.20.30.40
Immediately after each alert, active-responses.log records:
/var/ossec/active-response/bin/firewall-drop.sh add - 10.20.30.40 5716
The address 10.20.30.40 is one of the backup servers and uses SSH multiplexing to open many short-lived SCP sessions in parallel. The IDS active-response configuration currently contains:
<active-response>
<command>firewall-drop</command>
<location>local</location>
<rules_id>5712,5716</rules_id>
<timeout>900</timeout>
</active-response>
Which IDS configuration change will BEST allow the legitimate backup traffic to complete while still blocking real brute-force attacks?
Disable rule IDs 5712 and 5716 in the IDS ruleset.
Reduce the Active Response timeout value from 900 seconds to 60 seconds.
Increase the Linux
MaxSessionsdirective in /etc/ssh/sshd_config from 10 to 50.Add each backup server's IP address to the IDS <white_list> or <allow_list> directive so Active Response never blocks them.