My recollection of what sshd does here is use the IP address to get a PTR, then uses the name returned by that lookup to find the IP address. If this fails or if they don't match, then the error message is produced. So, the IP address is actually in a previous log entry in which the connection occurs. This technique started way back in the rsh days and was an attempt to stop some spoofed attacks. TCPwrappers also has this feature I think.
Other than modifying the sshd source to include the IP address in the message as well I don't know how you might get around this, unless there is some rule-writing magic (log correlation) that can occur so that the IP address is captured for later retrieval. -- Shane Castle Data Security Mgr, Boulder County IT CISSP GSEC GCIH -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Joel Brooks Sent: Thursday, February 24, 2011 14:30 To: ossec-list Subject: [ossec-list] active response - firewall drop hey gang, OK, on to a new problem with active responses... I've got active responses working. the one i'm mainly interested right now is the SSHD bruce force rule/response (rule id=5712). when this rule is matched, the firewall drop command is executed, but the active-response.log shows: Thu Feb 24 16:07:28 EST 2011 Unable to run (iptables returning != 2): 1 - /var/ossec/active-response/bin/firewall-drop.sh delete - berlin219.server4you.de 1298581018.65613 5703 Thu Feb 24 16:07:29 EST 2011 Unable to run (iptables returning != 2): 2 - /var/ossec/active-response/bin/firewall-drop.sh delete - berlin219.server4you.de 1298581018.65613 5703 running the script by hand, I see that the script is being called with a hostname, not an ip address, so iptables rejects the rule. the host name in the active-response.log is not resolveable. my /var/log/secure shows: 2011-02-24T15:56:52.505288-05:00 linode0 sshd[17907]: reverse mapping checking getaddrinfo for berlin219.server4you.de failed - POSSIBLE BREAK-IN ATTEMPT! /var/log/secure:2011-02-24T15:56:52.594892-05:00 linode0 sshd[17909]: reverse mapping checking getaddrinfo for berlin219.server4you.de failed - POSSIBLE BREAK-IN ATTEMPT! is there a way to get the IP for this rule instead of the hostname? thanks, J
