I'm using the 0.9.1-a or whatever the latest version was a day or 2 ago.
I see no mail stuff in /var/ossec/logs/ossec.log, but I see:
2006/09/07 15:41:04 ossec-remoted(1501): No IP or
network allowed in the access list for sy
slog. No reason for running it. Exiting.
2006/09/07 15:41:04 ossec-remoted: Started (pid: 71424).
2006/09/07 15:41:04 ossec-remoted: Assigning counter for agent
firewall: '0:7238'.
2006/09/07 15:41:04 ossec-remoted: Assigning sender counter: 0:536
2006/09/07 15:41:04 ossec-analysisd: White listing IP: '127.0.0.1'
2006/09/07 15:41:04 ossec-analysisd: White listing IP: '192.168.1.1'
2006/09/07 15:41:04 ossec-analysisd: White listing IP: '192.168.1.2'
2006/09/07 15:41:04 ossec-analysisd: 3 IPs in the white list for active
response
Now: this is a configuration generated from the install... it "should"
have included an ACL entry to permit the syslog traffic. Note I
white-list the applicable IPs. At the moment, only 192.168.1.1 should
be doing remote syslog. Syslog is properly configured on the internal
box to permit this.
Where in the config can I correct this. This may also be connected to
the client.keys problem I described earlier.
These are being logged to /var/log/maillog.
A couple of log samples...
Your standard botnet SMTP flooding:
Sep 7 01:20:46 mail sm-mta[62946]: ruleset=check_relay,
arg1=h188.175.141.67.ip.alltel.net
, arg2=67.141.175.188, relay=h188.175.141.67.ip.alltel.net
[67.141.175.188], reject=421 4.3
.2 Connection rate limit exceeded.
My private ACL from /etc/mail/access:
Sep 7 05:40:15 mail sm-mta[64376]: ruleset=check_relay,
arg1=adsl196-97-91-206-196.adsl196
-3.iam.net.ma, arg2=196.206.91.97,
relay=adsl196-97-91-206-196.adsl196-3.iam.net.ma [196.20
6.91.97], reject=553 5.3.0 196.206.91 Rejected due to abuse - see
http://dnsbl.sorbs.net.10
102005
Spamassassin blocks - maybe need to be handled more carefully:
Sep 7 02:43:30 mail sm-mta[63495]: k876hJS0063495: Milter:
data, reject=550 5.7.1 Blocked
by SpamAssassin
A typical RBL rejection from sendmail. The latter part is variable,
depending upon the RBL being used, all configurable in the sendmail.mc
file:
Sep 7 04:31:10 mail sm-mta[64143]: ruleset=check_relay,
arg1=60-240-56-231.tpgi.com.au, ar
g2=127.0.0.3, relay=60-240-56-231.tpgi.com.au [60.240.56.231],
reject=553 5.3.0 Message fro
m 60.240.56.231 blocked - see http://dynablock.njabl.org/
Now: in the alerts.log, I do see:
Rejection:
** Alert 1157606440.387:
2006 Sep 07 01:20:40 mail->/var/log/messages
Rule: 3107 (level 4) -> 'Sendmail rejected message.'
Src IP: 67.141.175.188
User: (none)
sm-mta[62943]: ruleset=check_relay, arg1=h188.175.141.67.ip.alltel.net,
arg2=127.0.0.10, re
lay=h188.175.141.67.ip.alltel.net [67.141.175.188], reject=553 5.3.0
Message from 67.141.17
5.188 blocked - see http://dnsbl.sorbs.net
Rejection based on /etc/mail/access:
** Alert 1157606492.1885:
2006 Sep 07 01:21:32 mail->/var/log/messages
Rule: 3107 (level 4) -> 'Sendmail rejected message.'
Src IP: 72.72.77.224
User: (none)
sm-mta[62992]: k875LOZq062992: ruleset=check_mail,
arg1=<demultiplex.almond@xxxxxxxxxxxxxxx
>, relay=static-72-72-77-224.bstnma.east.verizon.net [72.72.77.224],
reject=553 5.3.0 <demu
ltiplex.almond@xxxxxxxxxxxxxxx>... Rejected due to abuse - see
http://dnsbl.sorbs.net.
Rejection based on RBL check:
** Alert 1157614234.4959:
2006 Sep 07 03:30:34 mail->/var/log/messages
Rule: 3107 (level 4) -> 'Sendmail rejected message.'
Src IP: 67.177.205.115
User: (none)
sm-mta[63921]: ruleset=check_relay,
arg1=c-67-177-205-115.hsd1.co.comcast.net, arg2=127.0.0
.10, relay=c-67-177-205-115.hsd1.co.comcast.net [67.177.205.115],
reject=553 5.3.0 Message from 67.177.205.115 blocked - see
http://dnsbl.sorbs.net
It doesn't really yet differentiate between the types of rejections,
which I will need for this setup. A general sendmail reject isn't
enough - it needs to know about it, in order to take the proper action:
It is not detecting the "Connection rate exceeded" error, which
hopefully my hacky rule will pick up on - for those, I want an outright
firewall block. I already have some tables in PF that I use:
spammers (deny only port 25)
abuse (deny all)
geoip (deny only port 25)
Someone said they had or was working on a proper PF firewall_deny.sh
script for OSSEC... ?
Checking the active-response directory, I see the incorrect script is
installed:
#!/bin/sh
# Adds an IP to the iptables drop list (if linux)
# Adds an IP to the ipfilter drop list (if solaris, freebsd or netbsd)
# Adds an IP to the ipsec drop list (if aix)
# Requirements: Linux with iptables, Solaris/FreeBSD/NetBSD with
ipfilter or AIX with IPSec
# Expect: srcip
# Author: Ahmet Ozturk (ipfilter and IPSec)
# Author: Daniel B. Cid (iptables)
# Last modified: Feb 14, 2006
FreeBSD-6.1 runs "PF" by default (or "IPFW").
Surely I may have missed a couple of things here as I'm new to OSSEC...
mea culpa ;-)
Thanks!
Forrest
Daniel Cid wrote:
We have rules for sendmail already that should match on
them...
Where are these messages being logged? Is ossec reading this
file? If you look at the sendmail_rules.xml you will see lots of
rules for blocking spam, etc...
Can you show the output of:
-/var/ossec/logs/ossec.log
-The log that is generating these messages (and name of it).
-Output of /var/ossec/logs/alerts/alerts.log
*btw, which version are you using?
Daniel
On 9/7/06, Forrest Aldrich <forrie@xxxxxxxxxx> wrote:
OSSEC isn't getting these messages at all.
Though I may have made a mistake regarding the Connection throttle..
that probably isn't detected yet.
I'm making my first (lame) attempt at rules on the applicable server:
<rule id="6000" level="10" frequency="1" ignore="4">
<match>reject=421 4.3.2 Connection rate limit
exceeded</match>
<same_source_ip />
<description>SMTP connection throttle; usually BOTNET
activity.</description>
</rule>
and for RBLs and /etc/mail/access matches:
<rule id="6001" level="10" frequency="4" ignore="5">
<match>reject=553 5.3.0</match>
<regex>Message from.*blocked</regex>
<regex>Rejected due to abuse</regex>
<same_source_ip />
<description>Excessive general connections from RBL and
access
rejections</description>
</rule>
Still working on it - constructive criticism/input appreciated ;-)
_F
Daniel Cid wrote:
> Hi Forrest,
>
> Ossec is alerting on these events, but not blocking the ips? Is
that
> what is happening? Or ossec is not even getting these messages
> at all?
>
> Daniel
>
>
> On 9/7/06, Forrest Aldrich <forrie@xxxxxxxxxx> wrote:
>>
>> I installed the default OSSEC (server) on my internal mail
system.
>>
>> Since then, it has not triggered any actions on the sendmail
file - and
>> though I'm still trying to grok how OSSEC is working, the
rules in
>> sendmail_rules.xml seem like they should be triggering several
events.
>>
>> Namely:
>>
>> (annoying botnet flooding)
>>
>> reject=421 4.3.2 Connection rate limit exceeded.
>> (rbl rejections)
>>
>> Sep 7 13:07:07 mail sm-mta[69281]: ruleset=check_relay,
>> arg1=[60.55.8.6],
>> arg2=127.0.0.7, relay=[60.55.8.6], reject=553 5.3.0 Message
from
>> 60.55.8.6
>> blocked - see http://dnsbl.sorbs.net
>> I'm using sendmail - but it may be good to account for other
MTA's like
>> Postfix eventually. The RBL reject message for sendmail can
be easily
>> customized/tagged for identification by OSSEC if needed.
>>
>> In this case, I want to block these subnets on a permanent
basis -
>> it's my
>> private system, and I really don't care.
>>
>> Presently, I do this manually with the help of a couple of
messy shell
>> scripts, but OSSEC could be doing this as an action.
>>
>> I'm on FreeBSD_6.1, btw... which really shouldn't matter.
>>
>>
>> Thanks.
>>
>>
|