Have you checked and reviewed the sshd rules in /var/ossec/rules/ to see if any keywords exist for these "refusals" ?
On Mon, Feb 4, 2013 at 3:09 PM, Greg Ramos <[email protected]> wrote: > OK, I purchased the book on Amazon. I noticed the date is pretty old, > considering things are changing all the time, but perhaps it will help > me to learn the software. Anyway, one of the primary reasons I install > the package, was to monitor ssh refusals. I am getting notification of > failed logins, but not refusals. In other words, I had a machine that > was refused by the tcp wrappers, and noted in /var/adm/messages, but > did not receive an alert for any of these attempts. I have used > 'swatch' before which I could set up to look for ssh refusals, similar > to logwatch. The problem with logwatch, unless I don't have it > configured correctly, is I get a report the next day. I am looking for > something that monitors attempts live, which OSSEC does, I am just > missing the refused attempts. > > > OSSEC Host-Based Intrusion Detection Guide > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
