Sometimes when OpenSSH cannot figure out the IP or hostname of the system trying to connect to it, it logs "UNKNOWN" instead.
On Wed, Jul 27, 2011 at 11:02 AM, Chris Phillips <[email protected]> wrote: > Hi All, > > I have just seen something quite odd in my active-responses.log: - > > Wed Jul 27 15:31:44 BST 2011 /var/ossec/active-response/bin/host-deny.sh add > - UNKNOWN 1311777104.54981959 5706 > Wed Jul 27 15:31:44 BST 2011 /var/ossec/active-response/bin/firewall-drop.sh > add - UNKNOWN 1311777104.54981959 5706 > Wed Jul 27 15:31:44 BST 2011 Invalid ip/hostname entry: UNKNOWN > Wed Jul 27 15:31:44 BST 2011 Unable to run (iptables returning != 2): 1 - > /var/ossec/active-response/bin/firewall-drop.sh add - UNKNOWN > 1311777104.54981959 5706 > Wed Jul 27 15:31:45 BST 2011 Unable to run (iptables returning != 2): 2 - > /var/ossec/active-response/bin/firewall-drop.sh add - UNKNOWN > 1311777104.54981959 5706 > Wed Jul 27 15:31:47 BST 2011 Unable to run (iptables returning != 2): 3 - > /var/ossec/active-response/bin/firewall-drop.sh add - UNKNOWN > 1311777104.54981959 5706 > Wed Jul 27 15:31:50 BST 2011 Unable to run (iptables returning != 2): 4 - > /var/ossec/active-response/bin/firewall-drop.sh add - UNKNOWN > 1311777104.54981959 5706 > Wed Jul 27 15:31:54 BST 2011 Unable to run (iptables returning != 2): 5 - > /var/ossec/active-response/bin/firewall-drop.sh add - UNKNOWN > 1311777104.54981959 5706 > Wed Jul 27 15:31:59 BST 2011 Unable to run (iptables returning != 2): 6 - > /var/ossec/active-response/bin/firewall-drop.sh add - UNKNOWN > 1311777104.54981959 5706 > Wed Jul 27 15:42:14 BST 2011 /var/ossec/active-response/bin/firewall-drop.sh > delete - UNKNOWN 1311777104.54981959 5706 > Wed Jul 27 15:42:14 BST 2011 /var/ossec/active-response/bin/host-deny.sh > delete - UNKNOWN 1311777104.54981959 5706 > Wed Jul 27 15:42:14 BST 2011 Invalid ip/hostname entry: UNKNOWN > Wed Jul 27 15:42:14 BST 2011 Unable to run (iptables returning != 2): 1 - > /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN > 1311777104.54981959 5706 > Wed Jul 27 15:42:15 BST 2011 Unable to run (iptables returning != 2): 2 - > /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN > 1311777104.54981959 5706 > Wed Jul 27 15:42:17 BST 2011 Unable to run (iptables returning != 2): 3 - > /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN > 1311777104.54981959 5706 > Wed Jul 27 15:42:20 BST 2011 Unable to run (iptables returning != 2): 4 - > /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN > 1311777104.54981959 5706 > Wed Jul 27 15:42:24 BST 2011 Unable to run (iptables returning != 2): 5 - > /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN > 1311777104.54981959 5706 > Wed Jul 27 15:42:29 BST 2011 Unable to run (iptables returning != 2): 6 - > /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN > 1311777104.54981959 5706 > h|grep 89.195.5.167 > > Please can someone shed some light on it? > > Cheers, > -- > ChrisP > >
