Hi,
Your log entries seem interesting. I tested putty 0.54 on WinXP
and openssh 3.8.1 on a Debian server, and I didn't see the leading
"::ffff:" stuff on my logs. what is your ssh server's version?
Ahmet Ozturk.
Dimitri Yioulos wrote:
Sorry, folks, for what seems to me like my messy posting, but this
just in regarding my whitelisting problem; I just received this email
notification for the first time:
OSSEC HIDS Notification.
2006 Aug 09 11:14:32
Received From: danvers->/var/log/messages
Rule: 102 fired (level 7) -> "Unknown problem somewhere in the
system."
Portion of the log(s):
sshd: refused connect from ::ffff:192.168.100.53
(::ffff:192.168.100.53)
--END OF NOTIFICATION
and from ossec-alerts-09.log:
** Alert 1155137346.214738:
2006 Aug 09 11:29:06 danvers->/var/log/secure
Rule: 1506 (level 6) -> 'SSH insecure connection attempt (scan)'
Src IP: ::ffff:192.168.100.53
User: (none)
sshd[3912]: Did not receive identification string
from ::ffff:192.168.100.53
danvers is the name of the OSSEC-HIDS server which I'm trying to ssh
and sftp into from 192.168.100.53, which is my WinXP dekstop.
Doesn't this appear to be an issue with Putty and how O-H handles it?
Dimitri
On Wednesday August 09 2006 10:56 am, Daniel Cid wrote:
Hi Dimitri,
Just complementing Ahmet's response. By default, ossec blocks the
ip at /etc/hosts.deny and at the firewall, so you would need to
remove it from the
firewall and from hosts.deny (no need to restart ossec).
Try the following:
-Look at your iptables config and remove any block for your windows
IP ( maybe iptables -F if you don't have any other rule).
-Remove any block from /etc/hosts.deny too.
-Restart ossec on the server to make sure that it is reading your
white_list entries. Every time you change the config you need to
restart ossec.
*We currently only support class A,B or Cs in the white list, so
you could use:
<white_list>192.168.100.0/24</white_list>
Instead of /22 (going to be fixed soon).
Your ip 192.168.100.53 should not be blocked anymore... Let us know
how it goes..
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 8/9/06, Dimitri Yioulos <[EMAIL PROTECTED]> wrote:
Hello list members.
In order to use various tools on my OSSEC-HIDS server and agent
boxes, I've whitelisted my two desktop boxes - WinXP and
SimplyMepis Linux. From the Linux desktop, using cli ssh and sftp
tools, I have no trouble getting into the OSSEC-HIDS server or
agents. From the Windows desktop, however, I keep getting added
to hosts.deny when using either Putty (ssh) or WinSCP3 (sftp). I
then have to remove the entry fr the WinXP desktop from
hosts.deny and restart the OSSEC-HIDS server (merely removing the
entry from hosts.deny doesn't work). I have, as per instruction,
added a separate entry in ossec.conf for each LAN address I want
to whitelist. Is this a possible bug, or am I doing something
wrong?
I tried whitelisting my entire LAN by adding
<white_list>192.168.100.0/22</white_list>, but that didn't seem
to work. If this isn't something I'm doing wrong, might I
suggest adding this ability in a future release?
Regards,
Dimitri
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
