My setup is: OSSEC HIDS v1.4 installed on 3 machines all running Slackware Linux. 1 server 2 clients (default install - active response for alerts >= level 6)
I received an email alert: OSSEC HIDS Notification. 2008 May 04 10:11:27 Received From: (taz) xxx.xxx.xxx.xx->/var/log/secure Rule: 5712 fired (level 10) -> "SSHD brute force trying to get access to the system." Portion of the log(s): May 4 10:11:30 taz sshd[756]: input_userauth_request: illegal user admin May 4 10:11:30 taz sshd[756]: Illegal user admin from 83.98.220.38 May 4 10:11:29 taz sshdfilt[755]: DB:FAILVAL: user=illegal user a, ip=83.98.220.38 May 4 10:11:29 taz sshd[756]: Failed password for illegal user a from 83.98.220.38 port 53049 ssh2 May 4 10:11:29 taz sshd[756]: input_userauth_request: illegal user a May 4 10:11:29 taz sshd[756]: Illegal user a from 83.98.220.38 May 4 10:11:28 thing2 sshd[12343]: Failed password for invalid user a from 83.98.220.38 port 53032 ssh2 ------------------------------------------- I have instrumented analysisd with verbose() statements to catch this type error. The following shows the abort on the server in ossec.log. 2008/05/04 10:11:27 ossec-analysisd: DEBUG_WDM: execute active response - 1209910287 Rule: 5712 2008/05/04 10:11:27 ossec-analysisd: DEBUG_WDM: exec AR abort - 1209910287 host: (taz) 192.168.110.59->/var/log/secure IP: (null) 2008/05/04 10:11:27 ossec-analysisd: DEBUG_WDM: exec AR abort - 1209910287 host: (taz) xxx.xxx.xxx.xx->/var/log/secure IP: (null) --------------------------------------------- Can anybody spot the problem? Any suggestions on fixing this? Two other posts on this mailing list havent yielded any replies; I'm not sure if anyone is getting my posts or maybe I havent provided enough info? Thanks in advance, Wm
