*It's not really a mistake, but I would make ossec stop sending such mailings. the question is how do I lower the ossec sencibilidad for this event, or how do I remove this case.* * * *Beyond that this may cause the ssh does not generate these false positives? * * * *thanks in advance*
2012/10/11 dan (ddp) <[email protected]> > On Thu, Oct 11, 2012 at 1:59 PM, Carlos Palacios > <[email protected]> wrote: > > Good day list, > > > > I have 2 servers with replicated with rsync debian squeeze; > > > > rsync-e 'ssh-v-l www-data'-avuz 192.168.1.2 :/ var / www / test / * / > var / > > www / test /. > > > > On ssh, both know their public certificates, however at log > connection > > errors are generated in auth.log > > > > > > > > Received From: web-server->/var/log/auth.log > > Rule: 5720 fired (level 10) -> "Multiple SSHD authentication failures." > > Portion of the log(s): > > > > Oct 11 12:51:09 web-jmv sshd[24268]: Failed none for www-data from > 10.16.1.3 > > IIRC, the last time I looked this up it isn't technically an error. So > you can probably ignore it. > > Other than that, is there a question? > > > > port 52567 ssh2 > > Oct 11 12:50:09 web-jmv sshd[24243]: Failed none for www-data from > 10.16.1.3 > > port 49593 ssh2 > > Oct 11 12:49:09 web-jmv sshd[24214]: Failed none for www-data from > 10.16.1.3 > > port 49587 ssh2 > > Oct 11 12:49:09 web-jmv sshd[24217]: Failed none for www-data from > 10.16.1.3 > > port 49588 ssh2 > > Oct 11 12:49:09 web-jmv sshd[24213]: Failed none for www-data from > 10.16.1.3 > > port 49586 ssh2 > > Oct 11 12:48:09 web-jmv sshd[24188]: Failed none for www-data from > 10.16.1.3 > > port 49574 ssh2 > > Oct 11 12:47:09 web-jmv sshd[24160]: Failed none for www-data from > 10.16.1.3 > > port 49566 ssh2 > > > > > > > > --END OF NOTIFICATION > > > > > > > > OSSEC HIDS Notification. > > 2012 Oct 11 12:51:10 > > > > Received From: web-jmv->/var/log/auth.log > > Rule: 40112 fired (level 12) -> "Multiple authentication failures > followed > > by a success." > > Portion of the log(s): > > > > Oct 11 12:51:09 web-jmv sshd[24268]: Accepted publickey for www-data from > > 10.16.1.3 port 52567 ssh2 > > > > > > att. > > -- > > _________________________________ > > > > http://www.esin.net.ve > > Carlos Palacios > > Linux User# 395648 > > Consultor Software Libre > > tlf: 0416-6.18.35.68 > > Esp. en Redes y Linux Debian > -- _________________________________ http://www.esin.net.ve Carlos Palacios Linux User# 395648 Consultor Software Libre tlf: 0416-6.18.35.68 Esp. en Redes y Linux Debian
