On 11/14/06, Ken A <[EMAIL PROTECTED]> wrote:
I had a case yesterday, where firewall-drop was called on the first IP in a list of IPs that ossec reported under rule 40111 (multiple auth failures) - these were NOT from the same IP, yet the active response fired anyway! There was only a single auth failure from the IP that was blocked. This is a default, local install of ossec .9-3 on an FC3 machine.
Interesting... I just had to manually kill this ip as there is not even an empty log for my ossec-hids-responses.log. This ip generated 11 email notices but no action was taken. :( Received From: (ossec machine)->/var/log/proftpd.log Rule: 40111 fired (level 10) -> "Multiple authentication failures." Portion of the log(s): proftpd[26891] localhost (222.135.146.45[222.135.146.45]): USER bin (Login failed): Incorrect password. proftpd[26890] localhost (222.135.146.45[222.135.146.45]): USER bin (Login failed): Incorrect password. proftpd[26890] localhost (222.135.146.45[222.135.146.45]): USER bin (Login failed): Incorrect password. proftpd[26885] localhost (222.135.146.45[222.135.146.45]): USER bin (Login failed): Incorrect password. proftpd[26885] localhost (222.135.146.45[222.135.146.45]): USER bin (Login failed): Incorrect password. proftpd[26884] localhost (222.135.146.45[222.135.146.45]): USER bin (Login failed): Incorrect password. proftpd[26883] localhost (222.135.146.45[222.135.146.45]): USER bin (Login failed): Incorrect password. proftpd[26882] localhost (222.135.146.45[222.135.146.45]): USER bin (Login failed): Incorrect password. proftpd[26882] localhost (222.135.146.45[222.135.146.45]): USER bin (Login failed): Incorrect password. proftpd[26881] localhost (222.135.146.45[222.135.146.45]): USER bin (Login failed): Incorrect password. P.S. Yes, "bin" is in /etc/ftpusers.
