On Thu, Oct 11, 2012 at 3:31 PM, Carlos Palacios <[email protected]> wrote: > It's not really a mistake, but I would make ossec stop sending such > mailings. the question is how do I lower the ossec sencibilidad for this > event, or how do I remove this case. > > Beyond that this may cause the ssh does not generate these false positives? > > thanks in advance >
Write a rule to put this log message at a lower level. Use ossec-logtest to help you. > 2012/10/11 dan (ddp) <[email protected]> > >> On Thu, Oct 11, 2012 at 1:59 PM, Carlos Palacios >> <[email protected]> wrote: >> > Good day list, >> > >> > I have 2 servers with replicated with rsync debian squeeze; >> > >> > rsync-e 'ssh-v-l www-data'-avuz 192.168.1.2 :/ var / www / test / * / >> > var / >> > www / test /. >> > >> > On ssh, both know their public certificates, however at log >> > connection >> > errors are generated in auth.log >> > >> > >> > >> > Received From: web-server->/var/log/auth.log >> > Rule: 5720 fired (level 10) -> "Multiple SSHD authentication failures." >> > Portion of the log(s): >> > >> > Oct 11 12:51:09 web-jmv sshd[24268]: Failed none for www-data from >> > 10.16.1.3 >> >> IIRC, the last time I looked this up it isn't technically an error. So >> you can probably ignore it. >> >> Other than that, is there a question? >> >> >> > port 52567 ssh2 >> > Oct 11 12:50:09 web-jmv sshd[24243]: Failed none for www-data from >> > 10.16.1.3 >> > port 49593 ssh2 >> > Oct 11 12:49:09 web-jmv sshd[24214]: Failed none for www-data from >> > 10.16.1.3 >> > port 49587 ssh2 >> > Oct 11 12:49:09 web-jmv sshd[24217]: Failed none for www-data from >> > 10.16.1.3 >> > port 49588 ssh2 >> > Oct 11 12:49:09 web-jmv sshd[24213]: Failed none for www-data from >> > 10.16.1.3 >> > port 49586 ssh2 >> > Oct 11 12:48:09 web-jmv sshd[24188]: Failed none for www-data from >> > 10.16.1.3 >> > port 49574 ssh2 >> > Oct 11 12:47:09 web-jmv sshd[24160]: Failed none for www-data from >> > 10.16.1.3 >> > port 49566 ssh2 >> > >> > >> > >> > --END OF NOTIFICATION >> > >> > >> > >> > OSSEC HIDS Notification. >> > 2012 Oct 11 12:51:10 >> > >> > Received From: web-jmv->/var/log/auth.log >> > Rule: 40112 fired (level 12) -> "Multiple authentication failures >> > followed >> > by a success." >> > Portion of the log(s): >> > >> > Oct 11 12:51:09 web-jmv sshd[24268]: Accepted publickey for www-data >> > from >> > 10.16.1.3 port 52567 ssh2 >> > >> > >> > att. >> > -- >> > _________________________________ >> > >> > http://www.esin.net.ve >> > Carlos Palacios >> > Linux User# 395648 >> > Consultor Software Libre >> > tlf: 0416-6.18.35.68 >> > Esp. en Redes y Linux Debian > > > > > -- > _________________________________ > > http://www.esin.net.ve > Carlos Palacios > Linux User# 395648 > Consultor Software Libre > tlf: 0416-6.18.35.68 > Esp. en Redes y Linux Debian
