Greetings, I'm new to OSSEC having just installed a standalone version on one machine, and the 2.7.1-beta version on a dedicated VM with a bunch of agents connected to it. My first goal is to try and get the firewall to drop IPs from attackers trying to spam or brute force accounts etc. So far this works fine on the standalone server but I haven't seen any IP's added to the iptables drop list on any of the agents. I've changed the stock firewall rule from "local" to "all" in the server ossec.conf and restarted.
The following triggers Level 10 alert but doesn't trigger the firewall drop on the affected agent. Oct 11 21:21:02 webserver pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [user] Oct 11 21:20:52 webserver pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [test] Oct 11 21:20:43 webserver pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [admin] Oct 11 21:20:31 webserver pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [webuser] Oct 11 21:20:22 webserver pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [user] Oct 11 21:20:04 webserver pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [test] Oct 11 21:19:57 webserver pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [admin] Oct 11 21:19:44 webserver pure-ftpd: ([email protected]) [WARNING] Authentication failed for user [webuser] Also noticing a lot of reports of files changing. /sbin/fsfreeze /usr/bin/pklogin_finder /etc/prelink.cache /etc/alternatives/ksh-usrbin /usr/bin/ssltap I'm searching the web for info but I'm not having much success determining if this is normal activity or something of concern. The OS for most hosts is CentOS 5.x Thanks. MM -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
