Hi Forrest,
Thanks for the information. To solve your sendmail problem, you need to go to /var/ossec/rules/sendmail_rules.xml and change the rule "3103". It is currently looking for "reject=553 5.3.0 Spam blocked", but we may need to change it to "reject=553 5.3.0", since the "Spam blocked" message is not always there. Also, you will need to add a few more rules looking for a specific message after the reject, like "Rejected due to abuse", etc. An example of rule would be: <rule id="3120" level="9"> <if_sid>3103</if_sid> <match>Rejected due to abuse</match> <description>E-mail blocked due to abuse</description> </rule> After that, you would need to go to ossec.conf and add a new active response to block this ip for a longer time (for example one hour): <active-response> <command>firewall-drop</command> <location>local</location> <rules_id>3120</rules_id> <timeout>3600</timeout> </active-response> Regarding the firewall, during the install we check if PF is available to use. You can look under active-response/firewalls/ for more scripts. Just copy the pf one (pf.sh) to /var/ossec/active-responses/bin/firewall-drop.sh Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 9/7/06, Forrest Aldrich <[EMAIL PROTECTED]> wrote:
I'm using the 0.9.1-a or whatever the latest version was a day or 2 ago. I see no mail stuff in /var/ossec/logs/ossec.log, but I see: 2006/09/07 15:41:04 ossec-remoted(1501): No IP or network allowed in the access list for sy slog. No reason for running it. Exiting. 2006/09/07 15:41:04 ossec-remoted: Started (pid: 71424). 2006/09/07 15:41:04 ossec-remoted: Assigning counter for agent firewall: '0:7238'. 2006/09/07 15:41:04 ossec-remoted: Assigning sender counter: 0:536 2006/09/07 15:41:04 ossec-analysisd: White listing IP: '127.0.0.1' 2006/09/07 15:41:04 ossec-analysisd: White listing IP: '192.168.1.1' 2006/09/07 15:41:04 ossec-analysisd: White listing IP: '192.168.1.2' 2006/09/07 15:41:04 ossec-analysisd: 3 IPs in the white list for active response Now: this is a configuration generated from the install... it "should" have included an ACL entry to permit the syslog traffic. Note I white-list the applicable IPs. At the moment, only 192.168.1.1 should be doing remote syslog. Syslog is properly configured on the internal box to permit this. Where in the config can I correct this. This may also be connected to the client.keys problem I described earlier. These are being logged to /var/log/maillog. A couple of log samples... Your standard botnet SMTP flooding: Sep 7 01:20:46 mail sm-mta[62946]: ruleset=check_relay, arg1=h188.175.141.67.ip.alltel.net , arg2=67.141.175.188, relay=h188.175.141.67.ip.alltel.net [67.141.175.188], reject=421 4.3 .2 Connection rate limit exceeded. My private ACL from /etc/mail/access: Sep 7 05:40:15 mail sm-mta[64376]: ruleset=check_relay, arg1=adsl196-97-91-206-196.adsl196 -3.iam.net.ma, arg2=196.206.91.97, relay=adsl196-97-91-206-196.adsl196-3.iam.net.ma [196.20 6.91.97], reject=553 5.3.0 196.206.91 Rejected due to abuse - see http://dnsbl.sorbs.net.10 102005 Spamassassin blocks - maybe need to be handled more carefully: Sep 7 02:43:30 mail sm-mta[63495]: k876hJS0063495: Milter: data, reject=550 5.7.1 Blocked by SpamAssassin A typical RBL rejection from sendmail. The latter part is variable, depending upon the RBL being used, all configurable in the sendmail.mc file: Sep 7 04:31:10 mail sm-mta[64143]: ruleset=check_relay, arg1=60-240-56-231.tpgi.com.au, ar g2=127.0.0.3, relay=60-240-56-231.tpgi.com.au [60.240.56.231], reject=553 5.3.0 Message fro m 60.240.56.231 blocked - see http://dynablock.njabl.org/ Now: in the alerts.log, I do see: Rejection: ** Alert 1157606440.387: 2006 Sep 07 01:20:40 mail->/var/log/messages Rule: 3107 (level 4) -> 'Sendmail rejected message.' Src IP: 67.141.175.188 User: (none) sm-mta[62943]: ruleset=check_relay, arg1=h188.175.141.67.ip.alltel.net, arg2=127.0.0.10, re lay=h188.175.141.67.ip.alltel.net [67.141.175.188], reject=553 5.3.0 Message from 67.141.17 5.188 blocked - see http://dnsbl.sorbs.net Rejection based on /etc/mail/access: ** Alert 1157606492.1885: 2006 Sep 07 01:21:32 mail->/var/log/messages Rule: 3107 (level 4) -> 'Sendmail rejected message.' Src IP: 72.72.77.224 User: (none) sm-mta[62992]: k875LOZq062992: ruleset=check_mail, arg1=<[EMAIL PROTECTED] >, relay=static-72-72-77-224.bstnma.east.verizon.net [72.72.77.224], reject=553 5.3.0 <demu [EMAIL PROTECTED]>... Rejected due to abuse - see http://dnsbl.sorbs.net. Rejection based on RBL check: ** Alert 1157614234.4959: 2006 Sep 07 03:30:34 mail->/var/log/messages Rule: 3107 (level 4) -> 'Sendmail rejected message.' Src IP: 67.177.205.115 User: (none) sm-mta[63921]: ruleset=check_relay, arg1=c-67-177-205-115.hsd1.co.comcast.net, arg2=127.0.0 .10, relay=c-67-177-205-115.hsd1.co.comcast.net [67.177.205.115], reject=553 5.3.0 Message from 67.177.205.115 blocked - see http://dnsbl.sorbs.net It doesn't really yet differentiate between the types of rejections, which I will need for this setup. A general sendmail reject isn't enough - it needs to know about it, in order to take the proper action: It is not detecting the "Connection rate exceeded" error, which hopefully my hacky rule will pick up on - for those, I want an outright firewall block. I already have some tables in PF that I use: spammers (deny only port 25) abuse (deny all) geoip (deny only port 25) Someone said they had or was working on a proper PF firewall_deny.sh script for OSSEC... ? Checking the active-response directory, I see the incorrect script is installed: #!/bin/sh # Adds an IP to the iptables drop list (if linux) # Adds an IP to the ipfilter drop list (if solaris, freebsd or netbsd) # Adds an IP to the ipsec drop list (if aix) # Requirements: Linux with iptables, Solaris/FreeBSD/NetBSD with ipfilter or AIX with IPSec # Expect: srcip # Author: Ahmet Ozturk (ipfilter and IPSec) # Author: Daniel B. Cid (iptables) # Last modified: Feb 14, 2006 FreeBSD-6.1 runs "PF" by default (or "IPFW"). Surely I may have missed a couple of things here as I'm new to OSSEC... mea culpa ;-) Thanks! Forrest Daniel Cid wrote: We have rules for sendmail already that should match on them... Where are these messages being logged? Is ossec reading this file? If you look at the sendmail_rules.xml you will see lots of rules for blocking spam, etc... Can you show the output of: -/var/ossec/logs/ossec.log -The log that is generating these messages (and name of it). -Output of /var/ossec/logs/alerts/alerts.log *btw, which version are you using? Daniel On 9/7/06, Forrest Aldrich <[EMAIL PROTECTED]> wrote: OSSEC isn't getting these messages at all. Though I may have made a mistake regarding the Connection throttle.. that probably isn't detected yet. I'm making my first (lame) attempt at rules on the applicable server: <rule id="6000" level="10" frequency="1" ignore="4"> <match>reject=421 4.3.2 Connection rate limit exceeded</match> <same_source_ip /> <description>SMTP connection throttle; usually BOTNET activity.</description> </rule> and for RBLs and /etc/mail/access matches: <rule id="6001" level="10" frequency="4" ignore="5"> <match>reject=553 5.3.0</match> <regex>Message from.*blocked</regex> <regex>Rejected due to abuse</regex> <same_source_ip /> <description>Excessive general connections from RBL and access rejections</description> </rule> Still working on it - constructive criticism/input appreciated ;-)
