On Sun, Dec 9, 2012 at 11:10 AM, Guilmxm <guilhem.march...@gmail.com> wrote: > Ok, the error in log : > 2012/12/09 12:47:44 ossec-execd(1311): ERROR: Invalid command name > 'firewall-drop14400' provided. > > Came from the fact i wanted to increase the default "600" seconds banish > time to 14400 (4 hours), there came the new error. > > Sill i don't have active response for this rule matched... > > Example i've tested today (before time modification for banish time): > > Active response traces: > > Sun Dec 9 12:47:44 CET 2012 /var/ossec/active-response/bin/host-deny.sh add > - 37.160.44.146 1355053664.338773 31151 > Sun Dec 9 12:58:14 CET 2012 /var/ossec/active-response/bin/host-deny.sh > delete - 37.160.44.146 1355053664.338773 31151 > > And relevant log in server: > > ** Alert 1355053664.338773: mail - web,accesslog,web_scan,recon, > 2012 Dec 09 12:47:44 (XXXXXXXXXX) > XXX.XXX.XXX.XXX->/var/log/nginx/index.access.log > Rule: 31151 (level 10) -> 'Multiple web server 400 error codes from same > source ip.' > Src IP: 37.160.44.146 > 37.160.44.146 - - [09/Dec/2012:12:47:42 +0100] "GET /index.asp HTTP/1.1" 401 > 188 "-" "Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:multiple_index)" > 37.160.44.146 - - [09/Dec/2012:12:47:41 +0100] "GET /index.pl HTTP/1.1" 401 > 188 "-" "Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:multiple_index)" > 37.160.44.146 - - [09/Dec/2012:12:47:40 +0100] "GET /index.cgi HTTP/1.1" 401 > 188 "-" "Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:multiple_index)" > 37.160.44.146 - - [09/Dec/2012:12:47:39 +0100] "GET /index.cfm HTTP/1.1" 401 > 188 "-" "Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:multiple_index)" > 37.160.44.146 - - [09/Dec/2012:12:47:38 +0100] "GET /index.shtml HTTP/1.1" > 401 188 "-" "Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) > (Test:multiple_index)" > 37.160.44.146 - - [09/Dec/2012:12:47:37 +0100] "GET /index.htm HTTP/1.1" 401 > 188 "-" "Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:multiple_index)" > > > > So active response works fine but not the SSH connection attempt... > > Regards, > > Guilhem >
Please provide your active response configuration. > Le dimanche 9 décembre 2012 13:19:58 UTC+1, Guilmxm a écrit : >> >> >> Hi, >> >> My SSH server is being attacked since a few days, ossec detects it but >> does not initiate an active response resulting in blocking the remote host. >> >> Therefore, any other types of attacked result in ossec active responses, >> as for an example if i try to attack myself from an external connection, ssh >> authentication failures result in ossec active response. (authentication >> failures) >> >> Does anyone could explain me why ? If i'm not wrong the host does not >> supply any password, is it the reason why there is active response ? >> >> Here the alert log generated by ossec in relation with this connection >> attempt: >> >> ** Alert 1355053924.344329: mail - >> syslog,access_control,authentication_failed, >> 2012 Dec 09 12:52:04 (XXXXXXXXX) XXX.XXX.XXX.XXX->/var/log/auth.log >> Rule: 2502 (level 10) -> 'User missed the password more than one time' >> Dec 9 12:52:03 XXXXXXXXXXX sshd[4676]: PAM 2 more authentication >> failures; logname= uid=0 euid=0 tty=ssh ruser= >> >> rhost=174-143-56-97.static.cloud-ips.com user=root >> >> >> The same host is detected with an other rule because it's trying to >> connect using a non existing user or non authorized: >> >> >> ** Alert 1355053924.343978: - >> syslog,sshd,invalid_login,authentication_failed, >> 2012 Dec 09 12:52:04 (XXXXXXXXX) XXX.XXX.XXX.XXX->/var/log/auth.log >> Rule: 5710 (level 5) -> 'Attempt to login using a non-existent user' >> Src IP: 174.143.56.97 >> Dec 9 12:52:03 XXXXXXXXXXX sshd[4676]: Failed password for invalid user >> root from 174.143.56.97 port 53770 ssh2 >> >> >> Thanks! >> >> >> Regards, >> >> >> Guilhem >> >> >> >> >> >
