From OSSEC Wiki
- Rule:
<rule id="5551" level="10" frequency="6" timeframe="180"> <if_matched_sid>5503</if_matched_sid> <same_source_ip /> <description>Multiple failed logins in a small period of time.</description> <group>authentication_failures,</group> </rule> |
- Inside file: pam_rules.xml
- Inside group(s): Syslog, PAM
- Depends on: None
- False positive:
- Comments:
- Multiple failed logins in a small period of time.
- Example of log:
-
May 12 17:52:24 server sshd(pam_unix)[13097]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=attacker.com user=root