[ossec-list] Re: Active response on sshd failed logins

Fri, 29 Sep 2006 01:13:37 -0700 


Daniel,

Thanks!

Charles

On Sep 29, 2006, at 02:14 , Daniel Cid wrote:



Hi Charles,

I have to agree with you that we need to fix it. I will add an option
for white-listing
of hostnames to be available on the next version (and on the next snapshot). 
To fix your problem temporarily, you can configure your sshd daemon to
do not perform reverse lookups (by changing UseDNS to "no" on sshd_config).
*I think that on your PAM config you can also disable reverse name lookups for 
other services ...

Hope it helps..

--
Daniel B. Cid
dcid ( at ) ossec.net

On 9/28/06, kef_list <[EMAIL PROTECTED]> wrote:


Hi guys,

I believe that I have found a bug in ossec related to whitelisting
for failed ssh logins


The problem is that sshd logs the failures AFTER reverse looking up
the IP address, for example:


Sep 28 11:56:58 www sshd(pam_unix)[11034]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser=
rhost=2.red-98-2-137.staticip.rima-tde.net  user=root

where "2.red-98-2-137.staticip.rima-tde.net" is the reverse lookup on
my ADSL's IP address of 137.2.98.2.


I have my static IP (137.2.98.2) in the whitelist, but the problem is
that ossec sees in the log "2.red-98-2-137.staticip.rima-tde.net"
and  the active-response script is executed anyways.

I can see two solutions:

1) to be able to add host names (instead of just IPs) to the
whitelist  but I get a configuration error on startup if I try.
2) reconfigure sshd so that it does not perform the reverse lookups,
but I have been unable to figure out how to do this.

¿Does anyone have a solution for this?

Thanks,
Charles

PD. This happens both on RedHat 9 and RHEL 4.



____________________________________________________
Institut Balear de Comunicacions, S.L.
Gremio Tejedores 22, 1
07009 Palma de Mallorca, Spain
Tel:  +34 971.45.90.99  | Mobile: +34 607.87.12.77
Fax: +34 971.43.08.18  | E-mail: [EMAIL PROTECTED]
URL: http://www.ibacom.es/
____________________________________________________





____________________________________________________
Institut Balear de Comunicacions, S.L.
Gremio Tejedores 22, 1
07009 Palma de Mallorca, Spain
Tel:  +34 971.45.90.99  | Mobile: +34 607.87.12.77
Fax: +34 971.43.08.18  | E-mail: [EMAIL PROTECTED]
URL: http://www.ibacom.es/
____________________________________________________

Reply via email to