[ossec-list] Re: About the user login/login failed alert
Hi, You need to set the "frequency" attribute in rule 5712 to "1", this attribute set the number of time (+2) that a rule needs to match to fire an alert, by default the 5712 will show an alert when the 5710 appears at least 8 times, changing to "1" will fire at 3th attempt. Please check http://ossec-docs.readthedocs.io/en/latest/syntax/head_rules.html I hope it helps. Regards On Wednesday, June 28, 2017 at 11:06:44 PM UTC-4, az...@51ecommerce.com wrote: > > HI, > > I set the email notify level to 3, and try to login into serverA through > ssh, It's work, I receive the email alert. > > Thank you! > > And I've other question, I want block the user ip when the user login > failed more then 3 times with ssh, then block the ip of user, I use 5712, > but it did not work, I've try to login failed more then 10, it still do not > block me. > here is my active-response in ossec.conf > > > > no > > firewall-drop > > local > > 5712 > > 8 > > 120 > > 60,120,180 > > > > > here is my 5710 and 5712 rule defines > > > > 5700 > > illegal user|invalid user > > sshd: Attempt to login using a non-existent > user > > > invalid_login,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_10.6.1, > > > > > > > 5700 > > authentication failure; logname= uid=0 euid=0 tty=ssh| > > input_userauth_request: invalid user| > > PAM: User not known to the underlying authentication module for > illegal user| > > error retrieving information about user > > sshd: Useless/Duplicated SSHD message without a > user/ip. > > > > > > > 5710 > > sshd: brute force trying to get access to > > the system. > > > > > authentication_failures,pci_dss_11.4,pci_dss_10.2.4,pci_dss_10.2.5, > > > > On Thursday, June 29, 2017 at 2:19:23 AM UTC+8, migue...@wazuh.com wrote: >> >> Hi, >> >> The email notification is triggered when an alert reach or overpass the >> level defined in (by default is set to level 7), >> setting this option to level 3 will send you email notifications for >> successful logins attempts. >> >> * option reference:* >> http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.alerts.html#element-email_alert_level >> *Rules clasification:* >> http://ossec-docs.readthedocs.io/en/latest/manual/rules-decoders/rule-levels.html. >> >> I hope this could help you >> >> Best regards. >> >> On Wednesday, June 28, 2017 at 2:03:23 PM UTC-4, az...@51ecommerce.com >> wrote: >>> >>> hello, >>> I've setup the ossec server and agent in my serverS(server) and >>> serverA(agent), but when I login into serverA, I have not receive the email >>> alert, but if I change something in serverA, I can receive the email alert. >>> So, my question is: how to make a email alert when some one login into >>> system, like ssh, or ftp >>> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: About the user login/login failed alert
HI, I set the email notify level to 3, and try to login into serverA through ssh, It's work, I receive the email alert. Thank you! And I've other question, I want block the user ip when the user login failed more then 3 times with ssh, then block the ip of user, I use 5712, but it did not work, I've try to login failed more then 10, it still do not block me. here is my active-response in ossec.conf no firewall-drop local 5712 8 120 60,120,180 here is my 5710 and 5712 rule defines 5700 illegal user|invalid user sshd: Attempt to login using a non-existent user invalid_login,authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,pci_dss_10.6.1, 5700 authentication failure; logname= uid=0 euid=0 tty=ssh| input_userauth_request: invalid user| PAM: User not known to the underlying authentication module for illegal user| error retrieving information about user sshd: Useless/Duplicated SSHD message without a user/ip. 5710 sshd: brute force trying to get access to the system. authentication_failures,pci_dss_11.4,pci_dss_10.2.4,pci_dss_10.2.5, On Thursday, June 29, 2017 at 2:19:23 AM UTC+8, migue...@wazuh.com wrote: > > Hi, > > The email notification is triggered when an alert reach or overpass the > level defined in (by default is set to level 7), > setting this option to level 3 will send you email notifications for > successful logins attempts. > > * option reference:* > http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.alerts.html#element-email_alert_level > *Rules clasification:* > http://ossec-docs.readthedocs.io/en/latest/manual/rules-decoders/rule-levels.html. > > I hope this could help you > > Best regards. > > On Wednesday, June 28, 2017 at 2:03:23 PM UTC-4, az...@51ecommerce.com > wrote: >> >> hello, >> I've setup the ossec server and agent in my serverS(server) and >> serverA(agent), but when I login into serverA, I have not receive the email >> alert, but if I change something in serverA, I can receive the email alert. >> So, my question is: how to make a email alert when some one login into >> system, like ssh, or ftp >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: About the user login/login failed alert
Hi, The email notification is triggered when an alert reach or overpass the level defined in (by default is set to level 7), setting this option to level 3 will send you email notifications for successful logins attempts. * option reference:* http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.alerts.html#element-email_alert_level *Rules clasification:* http://ossec-docs.readthedocs.io/en/latest/manual/rules-decoders/rule-levels.html. I hope this could help you Best regards. On Wednesday, June 28, 2017 at 2:03:23 PM UTC-4, az...@51ecommerce.com wrote: > > hello, > I've setup the ossec server and agent in my serverS(server) and > serverA(agent), but when I login into serverA, I have not receive the email > alert, but if I change something in serverA, I can receive the email alert. > So, my question is: how to make a email alert when some one login into > system, like ssh, or ftp > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.