Hi Charles,
I have to agree with you that we need to fix it. I will add an option for white-listing of hostnames to be available on the next version (and on the next snapshot). To fix your problem temporarily, you can configure your sshd daemon to do not perform reverse lookups (by changing UseDNS to "no" on sshd_config). *I think that on your PAM config you can also disable reverse name lookups for other services ... Hope it helps.. -- Daniel B. Cid dcid ( at ) ossec.net On 9/28/06, kef_list <[EMAIL PROTECTED]> wrote:
Hi guys, I believe that I have found a bug in ossec related to whitelisting for failed ssh logins The problem is that sshd logs the failures AFTER reverse looking up the IP address, for example: Sep 28 11:56:58 www sshd(pam_unix)[11034]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=2.red-98-2-137.staticip.rima-tde.net user=root where "2.red-98-2-137.staticip.rima-tde.net" is the reverse lookup on my ADSL's IP address of 137.2.98.2. I have my static IP (137.2.98.2) in the whitelist, but the problem is that ossec sees in the log "2.red-98-2-137.staticip.rima-tde.net" and the active-response script is executed anyways. I can see two solutions: 1) to be able to add host names (instead of just IPs) to the whitelist but I get a configuration error on startup if I try. 2) reconfigure sshd so that it does not perform the reverse lookups, but I have been unable to figure out how to do this. ¿Does anyone have a solution for this? Thanks, Charles PD. This happens both on RedHat 9 and RHEL 4. ____________________________________________________ Institut Balear de Comunicacions, S.L. Gremio Tejedores 22, 1 07009 Palma de Mallorca, Spain Tel: +34 971.45.90.99 | Mobile: +34 607.87.12.77 Fax: +34 971.43.08.18 | E-mail: [EMAIL PROTECTED] URL: http://www.ibacom.es/ ____________________________________________________
