Here is an example alert I get, I get several of them while they are trying to connect.
OSSEC HIDS Notification. 2012 Jun 22 10:35:06 Received From: (MYSFTPSERVER) 10.0.0.5->/var/log/auth.log Rule: 5720 fired (level 10) -> "Multiple SSHD authentication failures." Portion of the log(s): Jun 22 10:26:22 MYSFTPSERVER sshd[27006]: Failed none for bob from 192.168.0.1 port 52833 ssh2 Jun 22 10:22:41 MYSFTPSERVER sshd[26921]: Failed none for bob from 192.168.0.1 port 44271 ssh2 Jun 22 10:22:33 MYSFTPSERVER sshd[26843]: Failed none for bob from 192.168.0.1 port 55252 ssh2 Jun 22 10:22:05 MYSFTPSERVER sshd[26765]: Failed none for bob from 192.168.0.1 port 32289 ssh2 Jun 22 10:21:57 MYSFTPSERVER sshd[26687]: Failed none for bob from 192.168.0.1 port 26317 ssh2 Jun 22 10:21:50 MYSFTPSERVER sshd[26609]: Failed none for bob from 192.168.0.1 port 41681 ssh2 Jun 22 10:21:43 MYSFTPSERVER sshd[26531]: Failed none for bob from 192.168.0.1 port 56518 ssh2 Jun 22 10:21:31 MYSFTPSERVER sshd[26452]: Failed none for bob from 192.168.0.1 port 18032 ssh2 --END OF NOTIFICATION OSSEC HIDS Notification. 2012 Jun 22 10:35:06 Received From: (MYSFTPSERVER) 10.0.0.5->/var/log/auth.log Rule: 40112 fired (level 12) -> "Multiple authentication failures followed by a success." Portion of the log(s): Jun 22 10:26:22 MYSFTPSERVER sshd[27006]: Accepted password for bob from 192.168.0.1 port 52833 ssh2 I changed up the IP addresses, usernames, and servernames but otherwise this is a straight copy and paste. On Friday, June 22, 2012 3:39:15 PM UTC-5, dan (ddpbsd) wrote: > > Samples? > On Jun 22, 2012 4:36 PM, "Josh" <[email protected]> wrote: > >> I have a customer who is trying to connect to an SFTP server I have set >> up. Recently due to some organization changes on their end they are >> initiating approx 30 separate SSH connections to my server in about 1 >> minute. This triggers an alert for several "failed none" messages from the >> IP address of my customers. The end result is AR blocks them because a rule >> with severity of 12 gets launched, (multiple authentication failures >> followed by a success) is there a way to filter out "failed none" messages >> so that they do not get blocked by AR? I have already whitelisted them in >> ossec.conf. >> >
