[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: OSSEC and sshd(pam_unix)

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: OSSEC and sshd(pam_unix)
From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
Date: Mon, 19 Jun 2006 20:51:30 -0300

Hi Kayvan,

These messages were supposed to be trigged. Do you have your pam_rules
included on ossec.conf?

The following rule would have matched (inside pam_rules.xml):

  <rule id="3503" level="5">
    <if_sid>3500</if_sid>
    <match>authentication failure; logname=</match>
    <group>authentication_failed</group>
    <description>User login failed.</description>
  </rule>

And this one for multiple failed logins:

  <rule id="3551" level="10" frequency="6" timeframe="120">
    <if_matched_sid>3503</if_matched_sid>
    <description>Multiple failed logins in a small period of time.</description>
  </rule>

The first one would not have triggered an active response, because
by default it only runs for levels >=6, but the second one would.

Thanks,

--
Daniel B. Cid
dcid @ ( at ) ossec.net


On 6/19/06, Kayvan A. Sylvan <kayvan@xxxxxxxxxx> wrote:
>
> Hi everyone,
>
> Over the weekend, OSSEC stopped a couple of brute force ssh attacks.
>
> That was great.
>
> But I noticed it did nothing about the following (which occurred a
> couple of times), which is from /var/log/messages. How do we
> get this sort of thing to trigger the active response scripts?
>
> Jun 17 21:00:53 somehost sshd(pam_unix)[892]: authentication failure;
> logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com
> user=root
> Jun 17 21:00:57 somehost sshd(pam_unix)[895]: authentication failure;
> logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com
> user=root
> Jun 17 21:01:00 somehost sshd(pam_unix)[897]: authentication failure;
> logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com
> user=root
> Jun 17 21:01:03 somehost sshd(pam_unix)[901]: authentication failure;
> logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com
> user=root
> Jun 17 21:01:05 somehost sshd(pam_unix)[903]: authentication failure;
> logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com
> user=root
> Jun 17 21:01:08 somehost sshd(pam_unix)[905]: authentication failure;
> logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com
> user=root
> Jun 17 21:01:11 somehost sshd(pam_unix)[908]: authentication failure;
> logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com
> user=root
> Jun 17 21:01:14 somehost sshd(pam_unix)[910]: authentication failure;
> logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com
> user=root
> Jun 17 21:01:17 somehost sshd(pam_unix)[912]: authentication failure;
> logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com
> user=root
> Jun 17 21:01:20 somehost sshd(pam_unix)[914]: authentication failure;
> logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com
> user=root
> Jun 17 21:01:23 somehost sshd(pam_unix)[916]: authentication failure;
> logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com
> user=root
> Jun 17 21:01:26 somehost sshd(pam_unix)[919]: authentication failure;
> logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com
> user=root
> Jun 17 21:01:29 somehost sshd(pam_unix)[921]: authentication failure;
> logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com
> user=root
> Jun 17 21:01:32 somehost sshd(pam_unix)[923]: authentication failure;
> logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com
> user=root
> Jun 17 21:01:35 somehost sshd(pam_unix)[925]: authentication failure;
> logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com
> user=root
> Jun 17 21:01:38 somehost sshd(pam_unix)[927]: authentication failure;
> logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com
> user=root
> Jun 17 21:01:41 somehost sshd(pam_unix)[930]: authentication failure;
> logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com
> user=root
> Jun 17 21:01:43 somehost sshd(pam_unix)[932]: authentication failure;
> logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com
> user=root
> Jun 17 21:01:46 somehost sshd(pam_unix)[934]: authentication failure;
> logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com
> user=root
> Jun 17 21:01:49 somehost sshd(pam_unix)[936]: authentication failure;
> logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com
> user=root
> Jun 17 21:01:52 somehost sshd(pam_unix)[939]: authentication failure;
> logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com
> user=root
> Jun 17 21:01:55 somehost sshd(pam_unix)[942]: authentication failure;
> logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com
> user=root
> Jun 17 21:01:58 somehost sshd(pam_unix)[944]: authentication failure;
> logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com
> user=root
> Jun 17 21:02:01 somehost sshd(pam_unix)[946]: authentication failure;
> logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com
> user=root
> Jun 17 21:02:04 somehost sshd(pam_unix)[948]: authentication failure;
> logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com
> user=root
> Jun 17 21:02:07 somehost sshd(pam_unix)[950]: authentication failure;
> logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com
> user=root
> Jun 17 21:02:10 somehost sshd(pam_unix)[953]: authentication failure;
> logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com
> user=root
> Jun 17 21:02:13 somehost sshd(pam_unix)[955]: authentication failure;
> logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com
> user=root
> Jun 17 21:02:16 somehost sshd(pam_unix)[957]: authentication failure;
> logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com
> user=root
> Jun 17 21:02:19 somehost sshd(pam_unix)[959]: authentication failure;
> logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com
> user=root
> Jun 17 21:02:22 somehost sshd(pam_unix)[961]: authentication failure;
> logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com
> user=root
> Jun 17 21:02:25 somehost sshd(pam_unix)[963]: authentication failure;
> logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com
> user=root
> Jun 17 22:04:39 somehost sshd(pam_unix)[1247]: session opened for user
> root by (uid=0)
>
> --
> Kayvan A. Sylvan          | Proud husband of       | Father to my kids:
> Sylvan Associates, Inc.   | Laura Isabella Sylvan, | Katherine Yelena (8/8/89)
> http://sylvan.com/~kayvan | my beautiful Queen.    | Robin Gregory (2/28/92)
>
> >
>

--~--~---------~--~----~------------~-------~--~----~
-~----------~----~----~----~------~----~------~--~---

Follow-Ups:
- [ossec-list] Re: OSSEC and sshd(pam_unix)
  - From: Kayvan A. Sylvan

References:
- [ossec-list] OSSEC and sshd(pam_unix)
  - From: Kayvan A. Sylvan

Prev by Date: [ossec-list] Re: ossec was finished work unexpectedly
Next by Date: [ossec-list] Re: Rule 11 - excessive number of connections
Previous by thread: [ossec-list] OSSEC and sshd(pam_unix)
Next by thread: [ossec-list] Re: OSSEC and sshd(pam_unix)
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.