I resolved the issue by adding in a frequency and timeframe so that the anonymous user that IE try's to login within the beginning does not lock me out. Now I see a few attempts: anonymous user however I can still login using the actual account before being locked in the hosts.deny. This is still secure because you only have 4 attempts.
<!-- proftpd no such user - invald_login group !the timeout helped with anonymous user IE issue--> <rule id="100002" level="9" frequency="4" timeframe="100"> <if_matched_sid>11203</if_matched_sid> <options>alert_by_email</options> <same_source_ip /> <description>Attempt to login using a non-existent user.</description> </rule> <!-- PAM - authentication_failures group --> <rule id="100003" level="10" frequency="8" timeframe="200"> <if_sid>5551</if_sid> <if_matched_sid>5503</if_matched_sid> <options>alert_by_email</options> <same_source_ip /> <description>Multiple failed logins in a small period of time.</description> </rule> -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of cyberwatchers Sent: Sunday, May 23, 2010 5:00 PM To: ossec-list Subject: [ossec-list] OSSEC / Proftpd Alert Issue I was wondering if anyone who has had experience using OSSEC could help me out. I added a custom rule to my local_rule.xml file which looks like: <rule id="1100002" level="3"> <if_sid>11200</if_sid> <match>FTP session opened.$</match> <options>alert_by_email</options> <description>FTP session opened.</description> </rule> I need to be alerted when anyone logs in via proftpd however when I raise the level to 7 or above, I get an alert emailed to me saying FTP Session Opened however I can no longer FTP into the site because active response places my IP in the hosts.deny because the OSSEC alert log says: ** Alert 1274635734.53838: - syslog,proftpd,invalid_login, 2010 May 23 13:28:54 cyberserve.cyberwatchers.local->/var/log/ proftpd.log Rule: 11203 (level 5) -> 'Attempt to login using a non-existent user.' Src IP: 173.100.213.174 User: (none) May 23 13:28:52 cyberserve.cyberwatchers.local proftpd[13172] cyberserve.cyberwatchers.local (173.100.213.xxx[173.100.213.xxx]): USER anonymous: no such user found from 173.100.213.xxx [173.100.213.xxx] to 10.1.1.7:21 I am currently running ossec locally on the proftpd server which is running Centos 5. All the logs are going into the /var/log/ proftpd.log... I am not using syslog because I am using syslog-ng to gather logs both locally and from remote clients. So with that being said the ftp logs I am having the issue are local to the box itself. Any help would be super! No virus found in this incoming message. Checked by AVG - www.avg.com Version: 9.0.819 / Virus Database: 271.1.1/2893 - Release Date: 05/25/10 02:26:00
