I'm getting the following alerts from from one of my hosts:
OSSEC HIDS Notification.
2009 Sep 15 01:10:52
Received From: (JMRL-KERMIT) 166.61.234.87->/var/log/secure
Rule: 5551 fired (level 10) -> "Multiple failed logins in a small period of
time."
Portion of the log(s):
Sep 15 01:08:38 kermit sshd[3625]: pam_unix(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=gate.vhs-mainz.de user=root
Sep 15 01:08:35 kermit sshd[3621]: pam_unix(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=gate.vhs-mainz.de user=root
Sep 15 01:08:33 kermit sshd[3617]: pam_unix(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=gate.vhs-mainz.de user=root
Sep 15 01:08:29 kermit sshd[3613]: pam_unix(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=gate.vhs-mainz.de user=root
Sep 15 01:08:27 kermit sshd[3609]: pam_unix(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=gate.vhs-mainz.de user=root
Sep 15 01:08:24 kermit sshd[3605]: pam_unix(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=gate.vhs-mainz.de user=root
Sep 15 01:08:22 kermit sshd[3601]: pam_unix(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=gate.vhs-mainz.de user=root
However, there are no entries to deny gate.vhs-mainz.de in the
/var/ossec/logs/active-response.log
Here's the active response part of the ossec.conf file:
<active-response>
<command>host-deny</command>
<location>local</location>
<level>10</level>
<rules_id>5551,5712,5720,40111,11210,31151,30114</rules_id>
<rules_group>sshd_rules</rules_group>
<timeout>600</timeout>
</active-response>
This source brute force attempted this system all night, generating lots of
alerts, but no active response.
Any ideas?
