Hi guys,
I believe that I have found a bug in ossec related to whitelisting
for failed ssh logins
The problem is that sshd logs the failures AFTER reverse looking up
the IP address, for example:
Sep 28 11:56:58 www sshd(pam_unix)[11034]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser=
rhost=2.red-98-2-137.staticip.rima-tde.net user=root
where "2.red-98-2-137.staticip.rima-tde.net" is the reverse lookup on
my ADSL's IP address of 137.2.98.2.
I have my static IP (137.2.98.2) in the whitelist, but the problem is
that ossec sees in the log "2.red-98-2-137.staticip.rima-tde.net"
and the active-response script is executed anyways.
I can see two solutions:
1) to be able to add host names (instead of just IPs) to the
whitelist but I get a configuration error on startup if I try.
2) reconfigure sshd so that it does not perform the reverse lookups,
but I have been unable to figure out how to do this.
¿Does anyone have a solution for this?
Thanks,
Charles
PD. This happens both on RedHat 9 and RHEL 4.
____________________________________________________
Institut Balear de Comunicacions, S.L.
Gremio Tejedores 22, 1
07009 Palma de Mallorca, Spain
Tel: +34 971.45.90.99 | Mobile: +34 607.87.12.77
Fax: +34 971.43.08.18 | E-mail: [EMAIL PROTECTED]
URL: http://www.ibacom.es/
____________________________________________________
