Hi everyone, Over the weekend, OSSEC stopped a couple of brute force ssh attacks.
That was great. But I noticed it did nothing about the following (which occurred a couple of times), which is from /var/log/messages. How do we get this sort of thing to trigger the active response scripts? Jun 17 21:00:53 somehost sshd(pam_unix)[892]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com user=root Jun 17 21:00:57 somehost sshd(pam_unix)[895]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com user=root Jun 17 21:01:00 somehost sshd(pam_unix)[897]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com user=root Jun 17 21:01:03 somehost sshd(pam_unix)[901]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com user=root Jun 17 21:01:05 somehost sshd(pam_unix)[903]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com user=root Jun 17 21:01:08 somehost sshd(pam_unix)[905]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com user=root Jun 17 21:01:11 somehost sshd(pam_unix)[908]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com user=root Jun 17 21:01:14 somehost sshd(pam_unix)[910]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com user=root Jun 17 21:01:17 somehost sshd(pam_unix)[912]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com user=root Jun 17 21:01:20 somehost sshd(pam_unix)[914]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com user=root Jun 17 21:01:23 somehost sshd(pam_unix)[916]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com user=root Jun 17 21:01:26 somehost sshd(pam_unix)[919]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com user=root Jun 17 21:01:29 somehost sshd(pam_unix)[921]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com user=root Jun 17 21:01:32 somehost sshd(pam_unix)[923]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com user=root Jun 17 21:01:35 somehost sshd(pam_unix)[925]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com user=root Jun 17 21:01:38 somehost sshd(pam_unix)[927]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com user=root Jun 17 21:01:41 somehost sshd(pam_unix)[930]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com user=root Jun 17 21:01:43 somehost sshd(pam_unix)[932]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com user=root Jun 17 21:01:46 somehost sshd(pam_unix)[934]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com user=root Jun 17 21:01:49 somehost sshd(pam_unix)[936]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com user=root Jun 17 21:01:52 somehost sshd(pam_unix)[939]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com user=root Jun 17 21:01:55 somehost sshd(pam_unix)[942]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com user=root Jun 17 21:01:58 somehost sshd(pam_unix)[944]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com user=root Jun 17 21:02:01 somehost sshd(pam_unix)[946]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com user=root Jun 17 21:02:04 somehost sshd(pam_unix)[948]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com user=root Jun 17 21:02:07 somehost sshd(pam_unix)[950]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com user=root Jun 17 21:02:10 somehost sshd(pam_unix)[953]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com user=root Jun 17 21:02:13 somehost sshd(pam_unix)[955]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com user=root Jun 17 21:02:16 somehost sshd(pam_unix)[957]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com user=root Jun 17 21:02:19 somehost sshd(pam_unix)[959]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com user=root Jun 17 21:02:22 somehost sshd(pam_unix)[961]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com user=root Jun 17 21:02:25 somehost sshd(pam_unix)[963]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.evilhost.com user=root Jun 17 22:04:39 somehost sshd(pam_unix)[1247]: session opened for user root by (uid=0) -- Kayvan A. Sylvan | Proud husband of | Father to my kids: Sylvan Associates, Inc. | Laura Isabella Sylvan, | Katherine Yelena (8/8/89) http://sylvan.com/~kayvan | my beautiful Queen. | Robin Gregory (2/28/92) --~--~---------~--~----~------------~-------~--~----~ -~----------~----~----~----~------~----~------~--~---
