Hi Peter, thanks for your reply, was what I needed to know!
I so grateful for all replies, thanks a lot ! On Wed, Apr 15, 2009 at 10:47 AM, Peter M. Abraham <peter.abra...@dynamicnet.net> wrote: > > Greetings Darvin: > > Your English is good. > > Are you receiving ossec alert emails? > > I.e. > > > ### START > OSSEC HIDS Notification. > 2009 Apr 13 21:40:46 > > Received From: (fully qualified machine name) abc.abc.abc.abc->/var/ > log/secure > Rule: 5712 fired (level 13) -> "SSHD brute force trying to get access > to the system." > Portion of the log(s): > > Apr 14 11:40:46 web sshd[13111]: Failed password for invalid user > eaguilar from 202.108.145.130 port 57973 ssh2 > Apr 14 11:40:46 web sshd[13111]: Invalid user eaguilar from > 202.108.145.130 > Apr 14 11:40:46 web sshd[13109]: Failed password for invalid user > eaguilar from 202.108.145.130 port 57959 ssh2 > Apr 14 11:40:46 web sshd[13109]: Invalid user eaguilar from > 202.108.145.130 > Apr 14 11:40:45 web sshd[13105]: Failed password for invalid user > eaguilar from 202.108.145.130 port 57930 ssh2 > Apr 14 11:40:45 web sshd[13103]: Failed password for invalid user > eaguilar from 202.108.145.130 port 57915 ssh2 > Apr 14 11:40:44 web sshd[13105]: Invalid user eaguilar from > 202.108.145.130 > > > > --END OF NOTIFICATION > ### EOF > > > If you are receiving such emails (it does not have to be exactly like > the above), you should be able to correlate the IP address blocked by > what rule ID. > > > Also, if you review /var/ossec/logs/active-responses.log on the agent > (server with the IP address block), the last component of the log is > the rule id. > > Example: > > Tue Apr 14 17:15:59 EDT 2009 /var/ossec/active-response/bin/firewall- > drop.sh add - 190.144.86.242 1239743758.17566044 5712 > > > The above drop was due to rule ID 5712. > > > Thank you. >
