On Mon, Aug 15, 2011 at 9:46 PM, Jason 'XenoPhage' Frisvold <[email protected]> wrote: > Sorry, apparently the new GPGMail extension I have doesn't quite work right.. > Or I have a setting wrong.. Let's try this again without that enabled... > > Hi all, > > OSSEC 2.6 on a CentOS 5.6 system. > > I was just nailed with an SSH brute force attack which = > apparently lasted a while. I received a whole bunch of mails from OSSEC = > about it, yet it did nothing to stop it.. I understand why for some of = > the messages, but not others. > > For instance, the following triggered an active response, as = > expected, but unfortunately, the attack wasn't stopped because the = > reverse address was invalid. > > OSSEC HIDS Notification. > 2011 Aug 15 20:53:06 > > Received From: myserver->/var/log/secure > Rule: 5703 fired (level 10) -> "Possible breakin attempt (high number of = > reverse lookup errors)." > Portion of the log(s): > > Aug 15 20:53:05 myserver sshd[23210]: reverse mapping checking = > getaddrinfo for 122-146-120-139.static.sparqnet.net failed - POSSIBLE = > BREAK-IN ATTEMPT! > Aug 15 20:53:01 myserver sshd[23207]: reverse mapping checking = > getaddrinfo for 122-146-120-139.static.sparqnet.net failed - POSSIBLE = > BREAK-IN ATTEMPT! > Aug 15 20:53:01 myserver sshd[23205]: reverse mapping checking = > getaddrinfo for 122-146-120-139.static.sparqnet.net failed - POSSIBLE = > BREAK-IN ATTEMPT! > Aug 15 20:52:57 myserver sshd[23178]: reverse mapping checking = > getaddrinfo for 122-146-120-139.static.sparqnet.net failed - POSSIBLE = > BREAK-IN ATTEMPT! > Aug 15 20:52:57 myserver sshd[23166]: reverse mapping checking = > getaddrinfo for 122-146-120-139.static.sparqnet.net failed - POSSIBLE = > BREAK-IN ATTEMPT! > Aug 15 20:52:54 myserver sshd[23141]: reverse mapping checking = > getaddrinfo for 122-146-120-139.static.sparqnet.net failed - POSSIBLE = > BREAK-IN ATTEMPT! > > --END OF NOTIFICATION > > > [me@ myserver ~]$ host 122-146-120-139.static.sparqnet.net > Host 122-146-120-139.static.sparqnet.net not found: 3(NXDOMAIN) > [me@myserver ~]$=20 > > > Sure, I get it. Not sure how to prevent that one, though the forward =
Turn off UseDNS in sshd_config? > address is easily handled by another alert, right? Apparently not, = > though. Here's the alert that never triggered an active response : > > > OSSEC HIDS Notification. > 2011 Aug 15 21:02:52 > > Received From: myserver->/var/log/secure > Rule: 5551 fired (level 10) -> "Multiple failed logins in a small period = > of time." > Portion of the log(s): > > Aug 15 21:02:51 myserver sshd[29303]: pam_unix(sshd:auth): = > authentication failure; logname=3D uid=3D0 euid=3D0 tty=3Dssh ruser=3D = > rhost=3D122.146.120.139=20 > Aug 15 21:02:51 myserver sshd[29302]: pam_unix(sshd:auth): = > authentication failure; logname=3D uid=3D0 euid=3D0 tty=3Dssh ruser=3D = > rhost=3D122.146.120.139=20 > Aug 15 21:02:47 myserver sshd[29220]: pam_unix(sshd:auth): = > authentication failure; logname=3D uid=3D0 euid=3D0 tty=3Dssh ruser=3D = > rhost=3D122.146.120.139=20 > Aug 15 21:02:47 myserver sshd[29219]: pam_unix(sshd:auth): = > authentication failure; logname=3D uid=3D0 euid=3D0 tty=3Dssh ruser=3D = > rhost=3D122.146.120.139=20 > Aug 15 21:02:43 myserver sshd[29213]: pam_unix(sshd:auth): = > authentication failure; logname=3D uid=3D0 euid=3D0 tty=3Dssh ruser=3D = > rhost=3D122.146.120.139=20 > Aug 15 21:02:43 myserver sshd[29212]: pam_unix(sshd:auth): = > authentication failure; logname=3D uid=3D0 euid=3D0 tty=3Dssh ruser=3D = > rhost=3D122.146.120.139=20 > Aug 15 21:02:39 myserver sshd[29209]: pam_unix(sshd:auth): = > authentication failure; logname=3D uid=3D0 euid=3D0 tty=3Dssh ruser=3D = > rhost=3D122.146.120.139=20 > Aug 15 21:02:39 myserver sshd[29208]: pam_unix(sshd:auth): = > authentication failure; logname=3D uid=3D0 euid=3D0 tty=3Dssh ruser=3D = > rhost=3D122.146.120.139=20 > > --END OF NOTIFICATION > > > Nothing in the active response log. Nothing in the ossec.log=85 Here = > are the last two entries in the ossec.log : > > 2011/08/15 19:04:35 ossec-syscheckd: INFO: Ending syscheck scan. > 2011/08/15 21:09:35 ossec-syscheckd: INFO: Starting syscheck scan. > > And a grep of rule 5551 from the active-responses.log : > > [root@myserver logs]# grep 5551 active-responses.log > [root@myserver logs]#=20 > Are there any entries in the agent's active-responses.log (for any AR action, not just this one)? Is AR working? Is execd running? > So what gives? My active response section in ossec.conf seems to be = > correct : > > <active-response> > <command>firewall-drop</command> > <location>local</location> > <level>6</level> > <timeout>21600</timeout> > <repeated_offenders>720,1440,10080</repeated_offenders> > </active-response> > > I'm at a loss.. Any thoughts? > > --------------------------- > Jason 'XenoPhage' Frisvold > [email protected] > --------------------------- > "Any sufficiently advanced magic is indistinguishable from technology." > - Niven's Inverse of Clarke's Third Law > > > >
