[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-list] Re: SSH brute force and firewall drop.
- To: ossec-list@xxxxxxxxxxxxxxxx
- Subject: [ossec-list] Re: SSH brute force and firewall drop.
- From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
- Date: Tue, 17 Jul 2007 21:18:13 -0300
- Cc: "Fletch Hasues" <hasues@xxxxxxxxx>
- Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=jBDLANbsITnjiCaXg0Vwcbw2LwLKvIAaTXTMFHA//QsOLdygyAT1eUIDoUuG8VedYLfTcM375ZmISsTNyscIzN0rjG4pEZ66BSiNUVbjrdRPawtKya5iNL4c9Uv8xAOLlEsntjpVduwIIVx+nXB2tjsygEXyKEaG2bmvzzHQ3Ec=
Hi Fletch,
Which operating system are you using? The logs are not well formatted, so ossec
is not parsing them correctly.
They start with the date/time, followed by the program name (with the
weird brackets
around them):
Jul 16 21:37:18 [sshd(pam_unix)] authentication failure; logname=
uid=0 euid=0 tty=ssh ruser= rhost=remoteIP
Jul 16 21:37:16 [sshd] error: PAM: Authentication failure for illegal
user fred from remoteIP
Ossec expects the date/time followed by hostname and followed by the
program name
without brackets (notmal syslog message):
Dec 13 09:19:09 hostname sshd(pam_unix)
We would need to change some of the decoders to support this format...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 7/16/07, Fletch Hasues <hasues@xxxxxxxxx> wrote:
> Greetings,
> I am trying to configure a host to prevent access via firewall drop by
> using the rules that I see firing, and lately those are of multiple
> authentication failures. So far, I have not been able to get active
> response to make use of the firewall-drop.sh script to block access. if I
> login with a false user and try to login, I see the logs noting that this is
> happening, and it does send out e-mail, but the active-response fails to
> firewall the IP.
>
> Received From: myhost->/var/log/everything/current
> Rule: 40111 fired (level 10) -> "Multiple authentication failures."
> Portion of the log(s):
>
> Jul 16 21:37:18 [sshd(pam_unix)] authentication failure; logname= uid=0
> euid=0 tty=ssh ruser= rhost=remoteIP
> Jul 16 21:37:16 [sshd] error: PAM: Authentication failure for illegal user
> fred from remoteIP
> Jul 16 21:37:14 [sshd(pam_unix)] authentication failure; logname= uid=0
> euid=0 tty=ssh ruser= rhost= remoteIP
> Jul 16 21:37:10 [sshd] error: PAM: Authentication failure for illegal user
> fred from remoteIP
>
>
> My ossec.conf file appears as:
>
> <ossec_config>
> <global>
> <email_notification>yes</email_notification>
> <email_to>myemail</email_to>
> <smtp_servermysmtp</smtp_server>
> <email_from> ossecm@myhost</email_from>
> </global>
>
> <rules>
> <include>rules_config.xml</include>
> <include>pam_rules.xml</include>
> <include>sshd_rules.xml</include>
> <include>telnetd_rules.xml</include>
> <include>syslog_rules.xml</include>
> <include>arpwatch_rules.xml</include>
> <include>symantec-av_rules.xml</include>
> <include>pix_rules.xml</include>
> <include>named_rules.xml</include>
> <include>smbd_rules.xml</include>
> <include>vsftpd_rules.xml</include>
> <include>pure-ftpd_rules.xml</include>
> <include>proftpd_rules.xml</include>
> <include>ms_ftpd_rules.xml</include>
> <include>hordeimp_rules.xml</include>
> <include>vpopmail_rules.xml</include>
> <include>web_rules.xml</include>
> <include>apache_rules.xml</include>
> <include>ids_rules.xml</include>
> <include>squid_rules.xml</include>
> <include>firewall_rules.xml</include>
> <include>netscreenfw_rules.xml</include>
> <include>postfix_rules.xml</include>
> <include>sendmail_rules.xml</include>
> <include>imapd_rules.xml</include>
> <include>mailscanner_rules.xml</include>
> <include>ms-exchange_rules.xml</include>
> <include>racoon_rules.xml</include>
> <include>vpn_concentrator_rules.xml</include>
> <include>spamd_rules.xml</include>
> <include>msauth_rules.xml</include>
> <!-- <include>policy_rules.xml</include> -->
> <include>attack_rules.xml</include>
> <include>zeus_rules.xml</include>
> <include>ossec_rules.xml</include>
> <include>local_rules.xml</include>
> </rules>
>
> <syscheck>
> <!-- Frequency that syscheck is executed - default to every 6 hours -->
> <frequency>21600</frequency>
>
> <!-- Directories to check (perform all possible verifications) -->
> <directories
> check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
> <directories check_all="yes">/bin,/sbin</directories>
>
> <!-- Files/directories to ignore -->
> <ignore>/etc/mtab</ignore>
> <ignore>/etc/mnttab</ignore>
> <ignore>/etc/hosts.deny</ignore>
> <ignore>/etc/mail/statistics</ignore>
> <ignore>/etc/random-seed</ignore>
> <ignore>/etc/adjtime</ignore>
> <ignore>/etc/httpd/logs</ignore>
> <ignore>/etc/utmpx</ignore>
> <ignore>/etc/wtmpx</ignore>
> <ignore>/etc/cups/certs</ignore>
>
> <!-- Windows files to ignore -->
> <ignore>C:\WINDOWS/System32/LogFiles</ignore>
> <ignore>C:\WINDOWS/Debug</ignore>
> <ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
> <ignore>C:\WINDOWS/iis6.log</ignore>
> <ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
> <ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
> <ignore>C:\WINDOWS/Prefetch</ignore>
> <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
> <ignore>C:\WINDOWS/SoftwareDistribution</ignore>
> <ignore>C:\WINDOWS/Temp</ignore>
> <ignore>C:\WINDOWS/system32/config</ignore>
> <ignore>C:\WINDOWS/system32/spool</ignore>
> <ignore>C:\WINDOWS/system32/CatRoot</ignore>
> </syscheck>
>
> <rootcheck>
>
> <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
>
> <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
> </rootcheck>
>
> <global>
> <white_list>127.0.0.1</white_list>
> <white_list>^localhost.localdomain$</white_list>
> <white_list> 192.168.74.1</white_list>
> <white_list>192.168.74.85</white_list>
> <white_list>192.168.74.15 </white_list>
> </global>
>
> <alerts>
> <log_alert_level>1</log_alert_level>
> <email_alert_level>7</email_alert_level>
> </alerts>
>
> <command>
> <name>host-deny</name>
> <executable>host-deny.sh</executable>
> <expect>srcip</expect>
> <timeout_allowed>yes</timeout_allowed>
> </command>
>
> <command>
> <name>firewall-drop</name>
> <executable>firewall-drop.sh</executable>
> <expect>srcip</expect>
> <timeout_allowed>yes</timeout_allowed>
> </command>
>
> <command>
> <name>disable-account</name>
> <executable>disable-account.sh</executable>
> <expect>user</expect>
> <timeout_allowed>yes</timeout_allowed>
> </command>
>
> <command>
> <name>route-null</name>
> <executable>route-null.sh</executable>
> <expect>srcip</expect>
> <timeout_allowed>yes</timeout_allowed>
> </command>
>
>
> <!-- Active Response Config -->
> <active-response>
> <!-- This response is going to execute the host-deny
> - command for every event that fires a rule with
> - level (severity) >= 6.
> - The IP is going to be blocked for 600 seconds.
> -->
> <command>host-deny</command>
> <location>local</location>
> <level>6</level>
> <timeout>600</timeout>
> </active-response>
>
> <active-response>
> <!-- Firewall Drop response. Block the IP for
> - 600 seconds on the firewall (iptables,
> - ipfilter, etc).
> -->
> <command>firewall-drop</command>
> <location>local</location>
> <level>6</level>
> <timeout>600</timeout>
> </active-response>
>
> <!-- Files to monitor (localfiles) -->
> <localfile>
> <location>/var/log/everything/current</location>
> <log_format>syslog</log_format>
> </localfile>
> </ossec_config>
>
> What am I missing? Anyone?
>
> Fletch
>
>
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.