Its necessary to monitor /var/log/messages to catch the “illegal user” message and the AR script begin to run?
De: Adiel Navarro [mailto:[email protected]] Enviado el: miércoles, 19 de octubre de 2016 02:31 p.m. Para: '[email protected]' Asunto: RE: [ossec-list] Active response There is all the secuence of events: Oct 19 09:56:29 sshd[26260]: [ID 800047 auth.info] Illegal user vpn6006 from 10.188.62.176 Oct 19 09:56:29 sshd[26260]: [ID 800047 auth.info] input_userauth_request: illegal user vpn6006 Oct 19 09:56:29 sshd[26260]: [ID 800047 auth.info] Failed none for <invalid username> from 10.188.62.176 port 4431 ssh2 Oct 19 09:56:33 sshd[26260]: [ID 219349 auth.debug] pam_unix_auth: user vpn6006 not found Oct 19 09:56:33 sshd[26260]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[13] while authenticating: No account present for user Oct 19 09:56:33 sshd[26260]: [ID 800047 auth.info] Failed keyboard-interactive for <invalid username> from 10.188.62.176 port 4431 ssh2 Oct 19 09:56:35 sshd[26260]: [ID 219349 auth.debug] pam_unix_auth: user vpn6006 not found Oct 19 09:56:35 sshd[26260]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[13] while authenticating: No account present for user Oct 19 09:56:35 sshd[26260]: [ID 800047 auth.info] Failed keyboard-interactive for <invalid username> from 10.188.62.176 port 4431 ssh2 Oct 19 09:56:37 sshd[26260]: [ID 219349 auth.debug] pam_unix_auth: user vpn6006 not found Oct 19 09:56:37 sshd[26260]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[13] while authenticating: No account present for user Oct 19 09:56:37 sshd[26260]: [ID 800047 auth.info] Failed keyboard-interactive for <invalid username> from 10.188.62.176 port 4431 ssh2 Oct 19 09:56:37 sshd[26260]: [ID 800047 auth.info] Connection closed by 10.188.62.176 Oct 19 09:56:40 sshd[26304]: [ID 800047 auth.info] Illegal user vpn6006 from 10.188.62.176 Oct 19 09:56:40 sshd[26304]: [ID 800047 auth.info] input_userauth_request: illegal user vpn6006 Oct 19 09:56:40 sshd[26304]: [ID 800047 auth.info] Failed none for <invalid username> from 10.188.62.176 port 4480 ssh2 Oct 19 09:56:43 sshd[26304]: [ID 219349 auth.debug] pam_unix_auth: user vpn6006 not found Oct 19 09:56:43 sshd[26304]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[13] while authenticating: No account present for user Oct 19 09:56:43 sshd[26304]: [ID 800047 auth.info] Failed keyboard-interactive for <invalid username> from 10.188.62.176 port 4480 ssh2 Oct 19 09:56:45 sshd[26304]: [ID 219349 auth.debug] pam_unix_auth: user vpn6006 not found Oct 19 09:56:45 sshd[26304]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[13] while authenticating: No account present for user Oct 19 09:56:45 sshd[26304]: [ID 800047 auth.info] Failed keyboard-interactive for <invalid username> from 10.188.62.176 port 4480 ssh2 Oct 19 09:56:46 sshd[26304]: [ID 219349 auth.debug] pam_unix_auth: user vpn6006 not found Oct 19 09:56:46 sshd[26304]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[13] while authenticating: No account present for user Oct 19 09:56:46 sshd[26304]: [ID 800047 auth.info] Failed keyboard-interactive for <invalid username> from 10.188.62.176 port 4480 ssh2 Oct 19 09:56:46 sshd[26304]: [ID 800047 auth.info] Connection closed by 10.188.62.176 I obtained that since the client. I used opensshd for windows. De: [email protected] [mailto:[email protected]] En nombre de dan (ddp) Enviado el: miércoles, 19 de octubre de 2016 02:10 p.m. Para: [email protected] Asunto: RE: [ossec-list] Active response On Oct 19, 2016 1:40 PM, "Adiel Navarro" <[email protected]> wrote: > > I got configured the next rule_id > > > > <rules_id>5712</rules_id> > > > > And checking ssh_rules.sh, I see the rule 5712: > > > > <rule id="5712" level="10" frequency="6" timeframe="120" ignore="60"> > > <if_matched_sid>5710</if_matched_sid> > > <description>SSHD brute force trying to get access to </description> > > <description>the system.</description> > > <same_source_ip /> > > <group>authentication_failures,</group> > > </rule> > > > > <rule id="5710" level="5"> > > <if_sid>5700</if_sid> > > <match>illegal user|invalid user</match> > > <description>Attempt to login using a non-existent user</description> > > <group>invalid_login,authentication_failed,</group> > > </rule> > > > > > > When I check the logs generated when I try to access with an no existing > user, I see that: > > > > Oct 19 11:20:29 sshd[20692]: [ID 800047 auth.info] Keyboard-interactive (PAM) > userauth failed[13] while authenticating: No account present for user > > Oct 19 11:20:29 sshd[20692]: [ID 800047 auth.info] Keyboard-interactive (PAM) > userauth failed[13] while authenticating: No account present for user > > Oct 19 11:20:29 sshd[20692]: [ID 800047 auth.info] Keyboard-interactive (PAM) > userauth failed[13] while authenticating: No account present for user > > > > So, I need to create a new rule that match with the message and configure the > active response with that new rule, right? > > Yep. Where are you getting these logs from? I don't think I've seen openssh logs like this in the past. > > > > > > -----Mensaje original----- > De: [email protected] [mailto:[email protected]] En > nombre de dan (ddp) > Enviado el: miércoles, 19 de octubre de 2016 12:11 p.m. > > Para: [email protected] > Asunto: Re: [ossec-list] Active response > > > > On Wed, Oct 19, 2016 at 1:02 PM, Adiel Navarro > <[email protected]> wrote: > > > How can I check the active-responses scripts are running? > > > > > > > If there are entries in the active-responses.log file, the scripts are > running. > > If there are not entries in the log, you need to figure out why. > > > > > In the agent, I have the next lines inserted in ossec.conf to watch the log > > files: > > > > > > <localfile> > > > <log_format>syslog</log_format> > > > <location>/var/ossec/logs/active-responses.log</location> > > > </localfile> > > > > > > How can I configure the rule? > > > > > > > On the OSSEC server add a rule to /var/ossec/rules/local_rules.xml looking > for the information in the log message. > > > > For instance, I have the following logs: > > Tue Oct 18 07:04:11 EDT 2016 /var/ossec/active-response/bin/pf.sh add > > - 42.112.31.172 1476788651.100797 5718 > > Wed Oct 19 08:10:26 EDT 2016 /var/ossec/active-response/bin/pf.sh add > > - 117.211.159.74 1476879026.110618 5718 > > > > My rules would be something like: > > > > <!-- Identify an active response log message --> <rule id="987654" level="0"> > > <match>/var/ossec/active-response/bin</match> > > <description>AR fired</description> > > </rule> > > > > <!-- Once the log message is identified, check to see if it is adding > something to ossec_fwtable --> <rule id="987655" level="10"> > > <if_sid>987654</if_sid> > > <match>pf.sh add </match> > > <description>pf.sh active response added an ip to the > blocklist.</description> </rule> > > > > After adding the rules the OSSEC processes on the server would have to be > restarted. > > > > I could make it fancier by creating a decoder, but it's probably not > necessary. > > > > > > > -----Mensaje original----- > > > De: [email protected] [mailto:[email protected]] > > > En nombre de dan (ddp) Enviado el: miércoles, 19 de octubre de 2016 11:56 > > a.m. > > > Para: [email protected] > > > Asunto: Re: [ossec-list] Active response > > > > > > On Wed, Oct 19, 2016 at 12:48 PM, Adiel Navarro > > <[email protected]> wrote: > > >> How can I Configure ossec to watch the active response.log file will fire > >> an alert? > > >> Why active-responses.log is not writing? > > >> > > > > > > If active-responses.log is empty, it's probably because no active response > > scripts are being run. > > > > > > Getting alerts when AR scripts are run is pretty simple. Setup a localfile > > to watch the log file and create a rule to alert when there are new entries. > > > > > >> In agent: > > >> > > >> <localfile> > > >> <log_format>syslog</log_format> > > >> <location>/var/ossec/logs/active-responses.log</location> > > >> </localfile> > > >> > > >> -bash-3.2# ls -l /var/ossec/logs > > >> total 86 > > >> -rw-r--r-- 1 root root 0 Oct 17 14:30 > >> active-responses.log > > >> -rw-rw-r-- 1 ossec ossec 44032 Oct 17 14:29 ossec.log > > >> > > >> in the server: > > >> -bash-3.2# ls -l /var/ossec/logs > > >> total 7432 > > >> -rw-rw---- 1 ossec ossec 0 May 19 10:01 active-responses.log > > >> drwxr-x--- 3 ossec ossec 4096 Oct 17 12:56 alerts > > >> drwxr-x--- 3 ossec ossec 4096 Oct 17 12:56 archives > > >> drwxr-x--- 3 ossec ossec 4096 Oct 17 12:56 firewall > > >> -rw-rw---- 1 ossec ossec 7582818 Oct 17 17:09 ossec.log > > >> > > >> > > >> > > >> -----Mensaje original----- > > >> De: [email protected] [mailto:[email protected]] En > >> nombre de dan (ddp) Enviado el: miércoles, 19 de octubre de 2016 07:50 a.m. > > >> Para: [email protected] > > >> Asunto: Re: [ossec-list] Active response > > >> > > >> On Wed, Oct 19, 2016 at 8:43 AM, dan (ddp) <[email protected]> wrote: > > >>> On Tue, Oct 18, 2016 at 6:54 PM, Aj Navarro <[email protected]> > >>> wrote: > > >> > > >>>> Only I see the next messages in /var/ossec/logs/alers/alerts.log > > >>>> > > >>>> ** Alert 1476724188.107242: mail - syslog,errors, > > >>>> > > >>>> 2016 Oct 17 12:09:48 ixtrtc42scf->/var/log/messages > > >>>> > > >>>> Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' > > >>>> > > >>>> Oct 17 12:09:48 ixtrtc42scf kernel: type=1100 > > >>>> audit(1476724188.016:36149378): user pid=6141 uid=0 auid=4294967295 > > >>>> ses=4294967295 msg= > > >>>> > > >>>> 'op=PAM:authentication acct="root" exe="/usr/sbin/sshd" > > >>>> hostname=10.188.62.176 addr=10.188.62.176 terminal=ssh res=failed' > > >>>> > > >>> > > >>> These log messages are not triggering 5712. In fact OSSEC isn't sure > > >>> what to do with these log messages. > > >>> Is there anything in your auth log? > > >>> > > >> > > >> Digging into it further, we get: > > >> # cat /tmp/yy | /var/ossec/bin/ossec-logtest -q > > >> 2016/10/19 08:44:09 ossec-testrule: INFO: Reading the lists file: > > >> 'rules/lists/ossec.block' > > >> 2016/10/19 08:44:09 ossec-testrule: INFO: Started (pid: 16098). > > >> ossec-testrule: Type one log per line. > > >> > > >> **Phase 1: Completed pre-decoding. > > >> full event: 'Oct 17 12:09:48 ixtrtc42scf kernel: type=1100 > > >> audit(1476724188.016:36149378): user pid=6141 uid=0 auid=4294967295 > > >> ses=4294967295 msg='op=PAM:authentication acct="root" > > >> exe="/usr/sbin/sshd" hostname=10.188.62.176 addr=10.188.62.176 > >> terminal=ssh res=failed'' > > >> hostname: 'ixtrtc42scf' > > >> program_name: 'kernel' > > >> log: 'type=1100 audit(1476724188.016:36149378): user pid=6141 > > >> uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication > > >> acct="root" exe="/usr/sbin/sshd" hostname=10.188.62.176 > > >> addr=10.188.62.176 terminal=ssh res=failed'' > > >> > > >> **Phase 2: Completed decoding. > > >> decoder: 'iptables' > > >> > > >> **Phase 3: Completed filtering (rules). > > >> Rule id: '1002' > > >> Level: '2' > > >> Description: 'Unknown problem somewhere in the system.' > > >> **Alert to be generated. > > >> > > >> So we'll have to create a decoder to deal with these odd log messages. > > >> Adding the following decoder to my local decoders file: > > >> <decoder name="wtf-iptables"> > > >> <parent>iptables</parent> > > >> <prematch> exe="/usr/sbin/sshd" </prematch> > > >> <!--<regex> acct="(\S+)" hostname="(\S+)" addr="(\S+)" </regex>--> > > >> <regex> acct="(\S+)" exe="/\.+/sshd" hostname=(\S+) addr=(\S+) </regex> > > >> <order>user,dstip, srcip</order> > > >> </decoder> > > >> > > >> I get: > > >> **Phase 1: Completed pre-decoding. > > >> full event: 'Oct 17 12:09:48 ixtrtc42scf kernel: type=1100 > > >> audit(1476724188.016:36149378): user pid=6141 uid=0 auid=4294967295 > > >> ses=4294967295 msg='op=PAM:authentication acct="root" > > >> exe="/usr/sbin/sshd" hostname=10.188.62.176 addr=10.188.62.176 > >> terminal=ssh res=failed'' > > >> hostname: 'ixtrtc42scf' > > >> program_name: 'kernel' > > >> log: 'type=1100 audit(1476724188.016:36149378): user pid=6141 > > >> uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication > > >> acct="root" exe="/usr/sbin/sshd" hostname=10.188.62.176 > > >> addr=10.188.62.176 terminal=ssh res=failed'' > > >> > > >> **Phase 2: Completed decoding. > > >> decoder: 'iptables' > > >> dstuser: 'root' > > >> dstip: '10.188.62.176' > > >> srcip: '10.188.62.176' > > >> > > >> **Phase 3: Completed filtering (rules). > > >> Rule id: '1002' > > >> Level: '2' > > >> Description: 'Unknown problem somewhere in the system.' > > >> **Alert to be generated. > > >> > > >> > > >> I haven't done any testing to see if this will affect anything else though. > > >> > > >> -- > > >> > > >> --- > > >> You received this message because you are subscribed to the Google Groups > >> "ossec-list" group. > > >> To unsubscribe from this group and stop receiving emails from it, send an > >> email to [email protected] > >> <mailto:ossec-list%[email protected]> . > > >> For more options, visit https://groups.google.com/d/optout. > > >> > > >> -- > > >> > > >> --- > > >> You received this message because you are subscribed to the Google Groups > >> "ossec-list" group. > > >> To unsubscribe from this group and stop receiving emails from it, send an > >> email to [email protected] > >> <mailto:ossec-list%[email protected]> . > > >> For more options, visit https://groups.google.com/d/optout. > > > > > > -- > > > > > > --- > > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected] > > <mailto:ossec-list%[email protected]> . > > > For more options, visit https://groups.google.com/d/optout. > > > > > > -- > > > > > > --- > > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected] > > <mailto:ossec-list%[email protected]> . > > > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] > <mailto:ossec-list%[email protected]> . > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] > <mailto:ossec-list%[email protected]> . > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
