2013/1/14 dan (ddp) <[email protected]>
> On Mon, Jan 14, 2013 at 10:28 AM, dan (ddp) <[email protected]> wrote:
> > On Mon, Jan 14, 2013 at 10:23 AM, Michiel van Es <[email protected]>
> wrote:
> >>
> >>
> >> Op maandag 14 januari 2013 15:36:05 UTC+1 schreef dan (ddpbsd) het
> volgende:
> >>>
> >>> On Mon, Jan 14, 2013 at 8:51 AM, Michiel van Es <[email protected]>
> >>> wrote:
> >>> > Hello,
> >>> >
> >>> > We want to firewall-drop failed logins with SSH after 3 failed
> >>> > passwords.
> >>> > We have the following config in /var/ossec/etc/ossec.conf (OSSEC 2.6)
> >>> > for
> >>> > the commands and active responses:
> >>> >
> >>> >
> >>> > <command>
> >>> > <name>host-deny</name>
> >>> > <executable>host-deny.sh</executable>
> >>> > <expect>srcip</expect>
> >>> > <timeout_allowed>yes</timeout_allowed>
> >>> > </command>
> >>> >
> >>> > <command>
> >>> > <name>firewall-drop</name>
> >>> > <executable>firewall-drop.sh</executable>
> >>> > <expect>srcip</expect>
> >>> > <timeout_allowed>yes</timeout_allowed>
> >>> > </command>
> >>> >
> >>> > <command>
> >>> > <name>disable-account</name>
> >>> > <executable>disable-account.sh</executable>
> >>> > <expect>user</expect>
> >>> > <timeout_allowed>yes</timeout_allowed>
> >>> > </command>
> >>> >
> >>> > <command>
> >>> > <name>restart-ossec</name>
> >>> > <executable>restart-ossec.sh</executable>
> >>> > <expect></expect>
> >>> > </command>
> >>> >
> >>> > <active-response>
> >>> > <command>restart-ossec</command>
> >>> > <location>local</location>
> >>> > <rules_id>510010</rules_id>
> >>> > </active-response>
> >>> >
> >>> > <active-response>
> >>> > <disabled>no</disabled>
> >>> > <command>host-deny</command>
> >>> > <location>local</location>
> >>> > <rules_id>2502,5720</rules_id>
> >>> > <timeout>1800</timeout>
> >>> > </active-response>
> >>> >
> >>> > <active-response>
> >>> > <disabled>no</disabled>
> >>> > <command>firewall-drop</command>
> >>> > <location>local</location>
> >>> > <rules_id>2502,5720</rules_id>
> >>> > <timeout>1800</timeout>
> >>> > </active-response>
> >>> >
> >>> > 5720 is using 5716 in sshd_rules.xml for multiple failed logins
> >>> > (frequency
> >>> > is 6).
> >>> > I restarted the ossec-hids on the manager and tried logging in with a
> >>> > known
> >>> > and unknown account and with both scenario's the srcip is not being
> >>> > blocked
> >>> > after 6 times within 30 seconds.
> >>> >
> >>> > Am I missing something?
> >>>
> >>> >>frequency=6 means 8 attempts.
> >>>
> >> Even after 100 tries it still does not do anything with only 5720.
> >> The 5716 rule is working correctly and blocking after 1 failed attempt,
> the
> >> frequency set for 5720 does nothing.
> >> Does anyone have a sample SSH active response config for ossec 2.6
> which I
> >> can test and try?
> >>
> >> Michiel
> >
> > Can you give a log sample that should be triggering 5720?
>
> Never mind, I found one.
>
> Are you sure 5720 is being triggered?
> Is AR enabled on the agent?
> Have you tried it on a system other than the OSSEC server?
>
Here is some more information, it seems that it works after 6 tries on some
accounts/machines but on another machine it does nothing, I can test with
testuser2 unlimited times (testuser2 is an account that does exist on the
server).
Also a /etc/init.d/ossec-hids shows that ossec is running on the agent:
sshd_rules.xml:
<rule id="5720" level="10" frequency="2">
<if_matched_sid>5716</if_matched_sid>
<same_source_ip />
<description>Multiple SSHD authentication failures.</description>
<group>authentication_failures,</group>
</rule>
/var/ossec/alerts/alert.log:
** Alert 1358177805.5539998: mail - syslog,sshd,authentication_failures,
2013 Jan 14 16:36:45 (host) any->/var/log/secure
Rule: 5720 (level 10) -> 'Multiple SSHD authentication failures.'
Src IP: 4.4.4.4
User: testuser
Jan 14 16:36:44 host sshd[28376]: Failed password for testuser from 4.4.4.4
port 39978 ssh2
Jan 14 16:36:37 host sshd[28371]: Failed password for testuser from 4.4.4.4
port 39977 ssh2
Jan 14 16:36:34 host sshd[28371]: Failed password for testuser from 4.4.4.4
port 39977 ssh2
Jan 14 16:36:31 host sshd[28371]: Failed password for testuser from 4.4.4.4
port 39977 ssh2
** Alert 1358177807.5540637: - syslog,sshd,authentication_failed,
2013 Jan 14 16:36:47 (host) any->/var/log/secure
Rule: 5716 (level 5) -> 'SSHD authentication failed.'
Src IP: 4.4.4.4
User: testuser
Jan 14 16:36:47 host sshd[28376]: Failed password for testuser from 4.4.4.4
port 39978 ssh2
** Alert 1358177807.5540950: - ossec,active_response,
2013 Jan 14 16:36:47 (host) any->/var/ossec/logs/active-responses.log
Rule: 603 (level 3) -> 'Host Blocked by host-deny.sh Active Response'
Src IP: 4.4.4.4
Mon Jan 14 16:36:45 CET 2013 /var/ossec/active-response/bin/host-deny.sh
add - 4.4.4.4 1358177805.5539998 5720
** Alert 1358177807.5541286: - ossec,active_response,
2013 Jan 14 16:36:47 (host) any->/var/ossec/logs/active-responses.log
Rule: 601 (level 3) -> 'Host Blocked by firewall-drop.sh Active Response'
Src IP: 4.4.4.4
Mon Jan 14 16:36:45 CET 2013
/var/ossec/active-response/bin/firewall-drop.sh add - 4.4.4.4
1358177805.5539998 5720
machine logfile:
Jan 14 16:36:29 host sshd[28371]: pam_unix(sshd:auth): authentication
failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=4.4.4.4 user=testuser
Jan 14 16:36:31 host sshd[28371]: Failed password for testuser from 4.4.4.4
port 39977 ssh2
Jan 14 16:36:34 host sshd[28371]: Failed password for testuser from 4.4.4.4
port 39977 ssh2
Jan 14 16:36:37 host sshd[28371]: Failed password for testuser from 4.4.4.4
port 39977 ssh2
Jan 14 16:36:37 host sshd[28374]: Connection closed by 4.4.4.4
Jan 14 16:36:37 host sshd[28371]: PAM 2 more authentication failures;
logname= uid=0 euid=0 tty=ssh ruser= rhost=4.4.4.4 user=testuser
Jan 14 16:36:42 host sshd[28376]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=4.4.4.4 user=testuser
Jan 14 16:36:44 host sshd[28376]: Failed password for testuser from 4.4.4.4
port 39978 ssh2
Jan 14 16:36:47 host sshd[28376]: Failed password for testuser from 4.4.4.4
port 39978 ssh2
Jan 14 16:46:51 host sshd[28339]: Received disconnect from 10.20.160.34:
11: disconnected by user
We tried it and after 6 times it blocked us, so it is working but it seems
the frequency is not the same as we expect.
Another try on a different machine with an account:
mve@protegam01:~$ ssh [email protected]
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied (publickey,password).
mve@protegam01:~$ ssh [email protected]
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied (publickey,password).
mve@protegam01:~$ ssh [email protected]
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied (publickey,password).
No active response is working on that machine, ossec-hids is running:
[root@machine ~]# /etc/init.d/ossec-hids status
ossec-logcollector is running...
ossec-syscheckd is running...
ossec-agentd is running...
ossec-execd is running...
