On Mon, Feb 4, 2013 at 7:21 PM, Greg Ramos <[email protected]> wrote:
> I was constantly being hit from this machine:
>
> Feb 4 07:20:23 appoc9 sshd[901]: [ID 947420 auth.warning] refused
> connect from 60.13.74.23
I'm guessing your email alert level is set to 7. This log message
appears to trigger a level 5 alert.
# cat /tmp/j | /var/ossec/bin/ossec-logtest
2013/02/04 20:25:25 ossec-testrule: INFO: Reading decoder file etc/decoder.xml.
2013/02/04 20:25:25 ossec-testrule: INFO: Reading decoder file
etc/local_decoder.xml.
2013/02/04 20:25:25 ossec-testrule: INFO: Reading decoder file
etc/wip/nsd_decoder.xml.
2013/02/04 20:25:25 ossec-testrule: INFO: Reading the lists file:
'lists/blocked.txt.cdb'
2013/02/04 20:25:25 ossec-testrule: INFO: Reading the lists file:
'lists/userlist.txt.cdb'
2013/02/04 20:25:25 ossec-testrule: INFO: Reading the lists file:
'lists/banneduser.txt.cdb'
2013/02/04 20:25:25 ossec-testrule: INFO: Started (pid: 28087).
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: 'Feb 4 07:20:23 appoc9 sshd[901]: [ID 947420
auth.warning] refused connect from 60.13.74.23'
hostname: 'appoc9'
program_name: 'sshd'
log: 'refused connect from 60.13.74.23'
**Phase 2: Completed decoding.
decoder: 'sshd'
srcip: '60.13.74.23'
**Phase 3: Completed filtering (rules).
Rule id: '2503'
Level: '5'
Description: 'Connection blocked by Tcp Wrappers.'
**Alert to be generated.
You can raise this by adding this to the local_rules.xml:
<rule id="INSERT ID" level="7">
<if_sid>2503</if_sid>
<program_name>sshd</program_name>
<description>SSH connection blocked by tcp wrappers.</description>
</rule>
You should then end up with something like:
# cat /tmp/j | /var/ossec/bin/ossec-logtest
2013/02/04 20:29:19 ossec-testrule: INFO: Reading decoder file etc/decoder.xml.
2013/02/04 20:29:19 ossec-testrule: INFO: Reading decoder file
etc/local_decoder.xml.
2013/02/04 20:29:19 ossec-testrule: INFO: Reading decoder file
etc/wip/nsd_decoder.xml.
2013/02/04 20:29:19 ossec-testrule: INFO: Reading the lists file:
'lists/blocked.txt.cdb'
2013/02/04 20:29:19 ossec-testrule: INFO: Reading the lists file:
'lists/userlist.txt.cdb'
2013/02/04 20:29:19 ossec-testrule: INFO: Reading the lists file:
'lists/banneduser.txt.cdb'
2013/02/04 20:29:20 ossec-testrule: INFO: Started (pid: 20573).
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: 'Feb 4 07:20:23 appoc9 sshd[901]: [ID 947420
auth.warning] refused connect from 60.13.74.23'
hostname: 'appoc9'
program_name: 'sshd'
log: 'refused connect from 60.13.74.23'
**Phase 2: Completed decoding.
decoder: 'sshd'
srcip: '60.13.74.23'
**Phase 3: Completed filtering (rules).
Rule id: '100091'
Level: '7'
Description: 'SSH connection blocked by tcp wrappers.'
**Alert to be generated.
I'm not sure this could get any more basic.
> Feb 4 07:25:13 appoc9 sshd[1117]: [ID 947420 auth.warning] refused
> connect from 60.13.74.23
> Feb 4 07:25:14 appoc9 sshd[1118]: [ID 947420 auth.warning] refused
> connect from 60.13.74.23
> Feb 4 07:25:17 appoc9 sshd[1119]: [ID 947420 auth.warning] refused
> connect from 60.13.74.23
> Feb 4 07:25:19 appoc9 sshd[1120]: [ID 947420 auth.warning] refused
> connect from 60.13.74.23
> Feb 4 07:25:21 appoc9 sshd[1121]: [ID 947420 auth.warning] refused
> connect from 60.13.74.23
> Feb 4 07:25:21 appoc9 sshd[1122]: [ID 947420 auth.warning] refused
> connect from 60.13.74.23
> Feb 4 07:25:24 appoc9 sshd[1123]: [ID 947420 auth.warning] refused
> connect from 60.13.74.23
> Feb 4 07:25:24 appoc9 sshd[1124]: [ID 947420 auth.warning] refused
> connect from 60.13.74.23
> Feb 4 07:25:26 appoc9 sshd[1125]: [ID 947420 auth.warning] refused
> connect from 60.13.74.23
> Feb 4 07:25:26 appoc9 sshd[1126]: [ID 947420 auth.warning] refused
> connect from 60.13.74.23
> Feb 4 07:25:28 appoc9 sshd[1127]: [ID 947420 auth.warning] refused
> connect from 60.13.74.23
> Feb 4 07:25:29 appoc9 sshd[1128]: [ID 947420 auth.warning] refused
> connect from 60.13.74.23
> Feb 4 07:25:31 appoc9 sshd[1129]: [ID 947420 auth.warning] refused
> connect from 60.13.74.23
> Feb 4 07:25:31 appoc9 sshd[1130]: [ID 947420 auth.warning] refused
> connect from 60.13.74.23
> Feb 4 07:25:33 appoc9 sshd[1131]: [ID 947420 auth.warning] refused
> connect from 60.13.74.23
> Feb 4 07:25:34 appoc9 sshd[1132]: [ID 947420 auth.warning] refused
> connect from 60.13.74.23
> Feb 4 07:25:36 appoc9 sshd[1133]: [ID 947420 auth.warning] refused
> connect from 60.13.74.23
> Feb 4 07:25:36 appoc9 sshd[1134]: [ID 947420 auth.warning] refused
> connect from 60.13.74.23
> Feb 4 07:25:38 appoc9 sshd[1135]: [ID 947420 auth.warning] refused
> connect from 60.13.74.23
> Feb 4 07:25:38 appoc9 sshd[1136]: [ID 947420 auth.warning] refused
> connect from 60.13.74.23
> Feb 4 07:25:40 appoc9 sshd[1137]: [ID 947420 auth.warning] refused
> connect from 60.13.74.23
> Feb 4 07:25:40 appoc9 sshd[1138]: [ID 947420 auth.warning] refused
> connect from 60.13.74.23
> Feb 4 07:25:44 appoc9 sshd[1139]: [ID 947420 auth.warning] refused
> connect from 60.13.74.23
> Feb 4 08:42:35 appoc9 sshd[6446]: [ID 947420 auth.warning] refused
> connect from fenderforum.com
> Feb 4 15:09:48 appoc9 sshd[25065]: [ID 947420 auth.warning] refused
> connect from 87.101.142.139
>
>
> On Mon, Feb 4, 2013 at 5:09 PM, dan (ddp) <[email protected]> wrote:
>>
>> On Feb 4, 2013 6:33 PM, "Greg Ramos" <[email protected]> wrote:
>>>
>>> OK, I purchased the book on Amazon. I noticed the date is pretty old,
>>> considering things are changing all the time, but perhaps it will help
>>> me to learn the software. Anyway, one of the primary reasons I install
>>> the package, was to monitor ssh refusals. I am getting notification of
>>> failed logins, but not refusals. In other words, I had a machine that
>>> was refused by the tcp wrappers, and noted in /var/adm/messages, but
>>> did not receive an alert for any of these attempts. I have used
>>> 'swatch' before which I could set up to look for ssh refusals, similar
>>> to logwatch. The problem with logwatch, unless I don't have it
>>> configured correctly, is I get a report the next day. I am looking for
>>> something that monitors attempts live, which OSSEC does, I am just
>>> missing the refused attempts.
>>>
>>>
>>> OSSEC Host-Based Intrusion Detection Guide
>>>
>>> --
>>>
>>
>> Please provide a log sample.
>>
>>> ---
>>> You received this message because you are subscribed to the Google Groups
>>> "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an
>>> email to [email protected].
>>> For more options, visit https://groups.google.com/groups/opt_out.
>>>
>>>
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
