Hi all, I've recently had a series of attacks that cause the appropriate alert level 10 to fire, however on the client they come from the active response is not running the firewall-drop script. It does work for most of the ssh attacks that come in adding the iptables rule and 600 seconds later removing it.
The only thing that I've noticed that is different is that the host is reported as [EMAIL PROTECTED] instead of a username. I ran the firewall-drop script and enclosed the ? with single quotes '?' and it added my iptables rule just fine. I do not know if that has anything to do with it or not, but I wanted to let you know just in case. Here is the alert. OSSEC HIDS Notification. 2006 Sep 16 07:42:06 Received From: (xxxxx) x.x.x.x.->/var/log/messages Rule: 11306 fired (level 10) -> "FTP brute force (multiple failed logins)." Portion of the log(s): pure-ftpd: ([EMAIL PROTECTED]) [WARNING] Authentication failed for user [Administrator] pure-ftpd: ([EMAIL PROTECTED]) [WARNING] Authentication failed for user [Administrator] pure-ftpd: ([EMAIL PROTECTED]) [WARNING] Authentication failed for user [Administrator] pure-ftpd: ([EMAIL PROTECTED]) [WARNING] Authentication failed for user [Administrator] pure-ftpd: ([EMAIL PROTECTED]) [WARNING] Authentication failed for user [Administrator] pure-ftpd: ([EMAIL PROTECTED]) [WARNING] Authentication failed for user [Administrator] pure-ftpd: ([EMAIL PROTECTED]) [WARNING] Authentication failed for user [Administrator] --END OF NOTIFICATION - Joel
