Hi, My SSH server is being attacked since a few days, ossec detects it but does not initiate an active response resulting in blocking the remote host.
Therefore, any other types of attacked result in ossec active responses, as for an example if i try to attack myself from an external connection, ssh authentication failures result in ossec active response. (authentication failures) Does anyone could explain me why ? If i'm not wrong the host does not supply any password, is it the reason why there is active response ? Here the alert log generated by ossec in relation with this connection attempt: ** Alert 1355053924.344329: mail - syslog,access_control,authentication_failed,2012 Dec 09 12:52:04 (XXXXXXXXX) XXX.XXX.XXX.XXX->/var/log/auth.logRule: 2502 (level 10) -> 'User missed the password more than one time'Dec 9 12:52:03 XXXXXXXXXXX sshd[4676]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=174-143-56-97.static.cloud-ips.com user=root The same host is detected with an other rule because it's trying to connect using a non existing user or non authorized: ** Alert 1355053924.343978: - syslog,sshd,invalid_login,authentication_failed,2012 Dec 09 12:52:04 (XXXXXXXXX) XXX.XXX.XXX.XXX->/var/log/auth.logRule: 5710 (level 5) -> 'Attempt to login using a non-existent user'Src IP: 174.143.56.97Dec 9 12:52:03 XXXXXXXXXXX sshd[4676]: Failed password for invalid user root from 174.143.56.97 port 53770 ssh2 Thanks! Regards, Guilhem
