[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: vsftpd rule

To: Daniel Cid <daniel.cid@xxxxxxxxx>
Subject: [ossec-list] Re: vsftpd rule
From: Joachim Vorrath <joachim.vorrath@xxxxxxxxxxxxxx>
Date: Wed, 7 Jun 2006 00:39:17 +0200
Cc: "Jorge Augusto Senger" <jorge@xxxxxxxxxxx>, ossec-list@xxxxxxxxx


Hi Daniel,

great it works

So now i must look wy !

Next i will change "numbers" of attack in "time"
6 tries and 120 seconds is a long time



 > OSSEC HIDS Notification.
 > 2006 Jun 07 00:26:33
 >
 > Received From: /var/log/vsftpd.log
 > Rule: 3451 fired (level 10) -> "FTP brute force (multiple failed  
logins).'"
 > Portion of the log(s):
 >
 > Wed Jun  7 00:26:32 2006 [pid 18764] [tsinternetusers] FAIL LOGIN:  
Client "218.188.12.18"
 > Wed Jun  7 00:26:29 2006 [pid 18764] [tsinternetusers] FAIL LOGIN:  
Client "218.188.12.18"
 > Wed Jun  7 00:26:27 2006 [pid 18764] [tsinternetusers] FAIL LOGIN:  
Client "218.188.12.18"
 > Wed Jun  7 00:26:24 2006 [pid 18764] [tsinternetusers] FAIL LOGIN:  
Client "218.188.12.18"
 > Wed Jun  7 00:26:21 2006 [pid 18764] [tsinternetusers] FAIL LOGIN:  
Client "218.188.12.18"
 > Wed Jun  7 00:26:18 2006 [pid 18764] [tsinternetusers] FAIL LOGIN:  
Client "218.188.12.18"
 > Wed Jun  7 00:26:15 2006 [pid 18764] [tsinternetusers] FAIL LOGIN:  
Client "218.188.12.18"
 >
 >  --END OF NOTIFICATION


# ---- snipp /var/ossec/active-response/ossec-hids-responses.log

Wed Jun  7 00:26:33 CEST 2006 /var/ossec/active-response/bin/firewall- 
drop.sh add null 218.188.12.18
Wed Jun  7 00:26:33 CEST 2006 /var/ossec/active-response/bin/host- 
deny.sh add null 218.188.12.18

# ---


regards

Jochen






Am 06.06.2006 um 22:07 schrieb Daniel Cid:

> Hi Jorge and Joachim,
>
> Based on the logs you provided, I created some rules for vsftpd.
> They were working correctly on my testing environment...
>
> They are on the following package:
> http://www.ossec.net/files/ossec-hids-0.8-2.tar.gz
>
> Basically, the vsftpd rules will be handled by the vsftpd_rules.xml  
> and
> the ones from pam_unix, by the file pam_rules_xml... Can you let
> me know if it is working or not? Also, make sure to add
> "<include>vsftpd_rules.xml</include>" to your ossec.conf
> (and also to configure ossec to read /var/logs/vsftpd.log).
>
> Thanks,
>
> --
> Daniel B. Cid
> dcid @ ( at ) ossec.net
>
> On 6/3/06, Jorge Augusto Senger <jorge@xxxxxxxxxxx> wrote:
>> Daniel,
>>
>> I need also a vsftpd rule. I've try to do it by myself, but the rules
>> doesn't work.
>> Here follows my part of my conf files. Can you tell, please, what  
>> did I
>> miss?
>>
>> Thanks,
>> Jorge


______________________________________
XamimeLT - installed on mailserver for domain at vorrath-net.de
Queries to: postmaster at vorrath-net.de

--~--~---------~--~----~------------~-------~--~----~
-~----------~----~----~----~------~----~------~--~---

References:
- [ossec-list] Re: vsftpd rule
  - From: Daniel Cid

Prev by Date: [ossec-list] Re: vsftpd rule
Next by Date: [ossec-list] Re: vsftpd rule
Previous by thread: [ossec-list] Re: vsftpd rule
Next by thread: [ossec-list] Re: vsftpd rule
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.