On Fri, Feb 27, 2009 at 9:59 AM, Michael Andrus <[email protected]> wrote:
> I've tried doing 'tail -f /var/log/secure > /tmp/sec' and
> am receiving the same results. The test event ( I am generating this event
> myself by failing a
> SSH login repeatedly ) is triggered by /tmp/sec, but not by /var/log/secure.
>
I have configured syslog-ng to log authpriv to a named pipe, and now
the rule seems to be working, but not as as I had expected.
I think perhaps I have misunderstood the way SingleWithThreshold works...
Again, here is my rule:
# CentOS 4 SSH PAM_OPIE Failed authentication
# Warning: This may ban an overzealous user who's having trouble w/ OPIE
# Feb 26 14:32:14 darkstar sshd[10026]: error: PAM: Authentication
failure for admin from x.x.x.x
type=SingleWithThreshold
ptype=RegExp
pattern= (\w+) sshd\[\d+\]: error: PAM: Authentication failure for \w+
from (\d+\.\d+\.\d+\.\d+)
desc=$0
action=event 0 matched; write - SSH brute force attack from $2!;
shellcmd /usr/bin/test "$2" != "`/sbin/ifconfig eth0 | /bin/grep "inet
addr"|awk -F" " '{print $2}'| /bin/egrep -o
"[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+"`" && /usr/local/sbin/apf -d $2
sec.ssh ; shellcmd /bin/echo "$1: SSH BFA from $2" | /bin/mail -s "$1:
SSH BFA from $2" r...@darkstar
window=15
thresh=3
It appears that events are only triggered by three *exact* matching
lines from the input, ie.
Feb 26 14:32:14 darkstar sshd[10026]: error: PAM: Authentication
failure for admin from 192.168.1.23
Feb 26 14:32:14 darkstar sshd[10026]: error: PAM: Authentication
failure for admin from 192.168.1.23
Feb 26 14:32:14 darkstar sshd[10026]: error: PAM: Authentication
failure for admin from 192.168.1.23
whereas I was assuming that three lines matching the regex would
trigger the event, ie.
Feb 26 14:32:14 darkstar sshd[10026]: error: PAM: Authentication
failure for admin from 192.168.1.23
Feb 26 14:32:16 darkstar sshd[10026]: error: PAM: Authentication
failure for admin from 192.168.1.23
Feb 26 14:32:18 darkstar sshd[10026]: error: PAM: Authentication
failure for admin from 192.168.1.23
Am I correct in my observation that only lines repeating exactly will
be counted against the threshold?
If so, could someone point me in the right direction conceptually as
to how to configure SEC to act on three similar rules ( ie. only
timestamp changing ).
I am guessing that this is where contexts come into play. If anyone
has an example ruleset they wouldn't mind sharing, I would appreciate
it immensely.
Thanks!
- Michael A.
------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
