[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] SSH Brute Force Attacks and Alerting

To: ossec-list@xxxxxxxxx
Subject: [ossec-list] SSH Brute Force Attacks and Alerting
From: Ben Ruset <ben.ruset@xxxxxxxxxxx>
Date: Wed, 02 May 2007 14:42:45 -0400
Content-transfer-encoding: 7bit


Please forgive me in advance if this is too much of a newbie question.

I have OSSEC configured with four agents and a server. I am gettingbombarded with alerts about ssh brute force attacks. I'm pretty surethat any host connected to the internet that runs some form of sshdaemon gets brute force attempts all the time, and as such I am notterribly concerned.

What I'm finding, though, is that it's hard to deal with legitimatealerts when there are so many alerts generated for attempted ssh logins.


My config has this:

  <alerts>
    <log_alert_level>1</log_alert_level>
    <email_alert_level>7</email_alert_level>
  </alerts>

which I presume to be "don't email me about events >7." Well, all of myssh alerts register at level 10.

Ideally, I'd only like to get alerts from when someone logs into thesystem (these aren't shell boxes for people, so it's semi unusual forpeople to log into them) or alerted based on brute force + successfullogin as seen here: (http://www.ossec.net/en/loganalysis.html#auth4)

Do I have a flawed understanding of how the rule alerting works? Isthere something I need to configure specifically to change OSSEC's sshdrules to only alert me on login and/or on brute force + successful login?


Thanks,

-ben

Prev by Date: [ossec-list] Re: UI install
Next by Date: [ossec-list] Re: SSH Brute Force Attacks and Alerting
Previous by thread: [ossec-list] Re: Permissions and ownership of /etc/hosts.deny
Next by thread: [ossec-list] Re: SSH Brute Force Attacks and Alerting
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.