On 8/10/06, Dimitri Yioulos <[EMAIL PROTECTED]> wrote:
Hi, Ahmet.
It's openssh-3.6.1p2-33.30.9
Dimitri
On Thursday August 10 2006 2:34 pm, Ahmet Ozturk wrote:
> Hi,
>
> Your log entries seem interesting. I tested putty 0.54 on WinXP
> and openssh 3.8.1 on a Debian server, and I didn't see the leading
> "::ffff:" stuff on my logs. what is your ssh server's version?
>
> Ahmet Ozturk.
>
> Dimitri Yioulos wrote:
> > Sorry, folks, for what seems to me like my messy posting, but
> > this just in regarding my whitelisting problem; I just received
> > this email notification for the first time:
> >
> > OSSEC HIDS Notification.
> > 2006 Aug 09 11:14:32
> >
> > Received From: danvers->/var/log/messages
> > Rule: 102 fired (level 7) -> "Unknown problem somewhere in the
> > system."
> > Portion of the log(s):
> >
> > sshd: refused connect from ::ffff:192.168.100.53
> > (::ffff: 192.168.100.53)
> >
> > --END OF NOTIFICATION
> >
> >
> > and from ossec-alerts-09.log:
> >
> > ** Alert 1155137346.214738:
> > 2006 Aug 09 11:29:06 danvers->/var/log/secure
> > Rule: 1506 (level 6) -> 'SSH insecure connection attempt (scan)'
> > Src IP: ::ffff:192.168.100.53
> > User: (none)
> > sshd[3912]: Did not receive identification string
> > from ::ffff:192.168.100.53
> >
> >
> > danvers is the name of the OSSEC-HIDS server which I'm trying to
> > ssh and sftp into from 192.168.100.53, which is my WinXP dekstop.
> > Doesn't this appear to be an issue with Putty and how O-H handles
> > it?
> >
> > Dimitri
> >
> > On Wednesday August 09 2006 10:56 am, Daniel Cid wrote:
> >>Hi Dimitri,
> >>
> >>Just complementing Ahmet's response. By default, ossec blocks the
> >>ip at /etc/hosts.deny and at the firewall, so you would need to
> >>remove it from the
> >>firewall and from hosts.deny (no need to restart ossec).
> >>
> >>Try the following:
> >>
> >>-Look at your iptables config and remove any block for your
> >> windows IP ( maybe iptables -F if you don't have any other
> >> rule). -Remove any block from /etc/hosts.deny too.
> >>-Restart ossec on the server to make sure that it is reading your
> >>white_list entries. Every time you change the config you need to
> >>restart ossec.
> >>
> >>*We currently only support class A,B or Cs in the white list, so
> >>you could use:
> >><white_list>192.168.100.0/24</white_list>
> >>
> >>Instead of /22 (going to be fixed soon).
> >>
> >>Your ip 192.168.100.53 should not be blocked anymore... Let us
> >> know how it goes..
> >>
> >>Thanks,
> >>
> >>--
> >>Daniel B. Cid
> >>dcid ( at ) ossec.net
> >>
> >>On 8/9/06, Dimitri Yioulos <[EMAIL PROTECTED]> wrote:
> >>>Hello list members.
> >>>
> >>>In order to use various tools on my OSSEC-HIDS server and agent
> >>>boxes, I've whitelisted my two desktop boxes - WinXP and
> >>>SimplyMepis Linux. From the Linux desktop, using cli ssh and
> >>> sftp tools, I have no trouble getting into the OSSEC-HIDS
> >>> server or agents. From the Windows desktop, however, I keep
> >>> getting added to hosts.deny when using either Putty (ssh) or
> >>> WinSCP3 (sftp). I then have to remove the entry fr the WinXP
> >>> desktop from hosts.deny and restart the OSSEC-HIDS server
> >>> (merely removing the entry from hosts.deny doesn't work). I
> >>> have, as per instruction, added a separate entry in ossec.conf
> >>> for each LAN address I want to whitelist. Is this a possible
> >>> bug, or am I doing something wrong?
> >>>
> >>>I tried whitelisting my entire LAN by adding
> >>><white_list>192.168.100.0/22</white_list>, but that didn't seem
> >>>to work. If this isn't something I'm doing wrong, might I
> >>>suggest adding this ability in a future release?
> >>>
> >>>Regards,
> >>>
> >>>Dimitri
> >>>
> >>>--
> >>>This message has been scanned for viruses and
> >>>dangerous content by MailScanner, and is
> >>>believed to be clean.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
