I think that you were hit with the same problem as I was, and that I
asked on the list just a couple of hours ago.
Charles
---------------------------
I believe that I have found a bug in ossec related to whitelisting
for failed ssh logins
The problem is that sshd logs the failures AFTER reverse looking up
the IP address, for example:
Sep 28 11:56:58 www sshd(pam_unix)[11034]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser=
rhost=2.red-98-2-137.staticip.rima-tde.net user=root
where "2.red-98-2-137.staticip.rima-tde.net" is the reverse lookup on
my ADSL's IP address of 137.2.98.2.
I have my static IP (137.2.98.2) in the whitelist, but the problem is
that ossec sees in the log "2.red-98-2-137.staticip.rima-tde.net"
and the active-response script is executed anyways.
I can see two solutions:
1) to be able to add host names (instead of just IPs) to the
whitelist but I get a configuration error on startup if I try.
2) reconfigure sshd so that it does not perform the reverse lookups,
but I have been unable to figure out how to do this.
¿Does anyone have a solution for this?
Thanks,
Charles
PD. This happens both on RedHat 9 and RHEL 4.
On Sep 28, 2006, at 20:49 , Forrest Aldrich wrote:
I just had a nasty incident with OSSEC blocking me via active-
response (ssh error) -- I almost had to take a drive down to the co-
lo to fix it, if it didn't undo.
Point being, OSSEC should *never* block anything in the white
list. Period.
Is this a feature or a bug??
_F
____________________________________________________
Institut Balear de Comunicacions, S.L.
Gremio Tejedores 22, 1
07009 Palma de Mallorca, Spain
Tel: +34 971.45.90.99 | Mobile: +34 607.87.12.77
Fax: +34 971.43.08.18 | E-mail: [EMAIL PROTECTED]
URL: http://www.ibacom.es/
____________________________________________________
