And basic filtering isn't working? I feel like I've solved this one before. On Jun 22, 2012 6:25 PM, "Josh" <[email protected]> wrote:
> Here is an example alert I get, I get several of them while they are > trying to connect. > > OSSEC HIDS Notification. > 2012 Jun 22 10:35:06 > > Received From: (MYSFTPSERVER) 10.0.0.5->/var/log/auth.log > Rule: 5720 fired (level 10) -> "Multiple SSHD authentication failures." > Portion of the log(s): > > Jun 22 10:26:22 MYSFTPSERVER sshd[27006]: Failed none for bob from > 192.168.0.1 port 52833 ssh2 Jun 22 10:22:41 MYSFTPSERVER sshd[26921]: > Failed none for bob from 192.168.0.1 port 44271 ssh2 Jun 22 10:22:33 > MYSFTPSERVER sshd[26843]: Failed none for bob from 192.168.0.1 port 55252 > ssh2 Jun 22 10:22:05 MYSFTPSERVER sshd[26765]: Failed none for bob from > 192.168.0.1 port 32289 ssh2 Jun 22 10:21:57 MYSFTPSERVER sshd[26687]: > Failed none for bob from 192.168.0.1 port 26317 ssh2 Jun 22 10:21:50 > MYSFTPSERVER sshd[26609]: Failed none for bob from 192.168.0.1 port 41681 > ssh2 Jun 22 10:21:43 MYSFTPSERVER sshd[26531]: Failed none for bob from > 192.168.0.1 port 56518 ssh2 Jun 22 10:21:31 MYSFTPSERVER sshd[26452]: > Failed none for bob from 192.168.0.1 port 18032 ssh2 > > > > --END OF NOTIFICATION > > > > OSSEC HIDS Notification. > 2012 Jun 22 10:35:06 > > Received From: (MYSFTPSERVER) 10.0.0.5->/var/log/auth.log > Rule: 40112 fired (level 12) -> "Multiple authentication failures followed > by a success." > Portion of the log(s): > > Jun 22 10:26:22 MYSFTPSERVER sshd[27006]: Accepted password for bob from > 192.168.0.1 port 52833 ssh2 > > > I changed up the IP addresses, usernames, and servernames but otherwise > this is a straight copy and paste. > > On Friday, June 22, 2012 3:39:15 PM UTC-5, dan (ddpbsd) wrote: >> >> Samples? >> On Jun 22, 2012 4:36 PM, "Josh" <[email protected]> wrote: >> >>> I have a customer who is trying to connect to an SFTP server I have set >>> up. Recently due to some organization changes on their end they are >>> initiating approx 30 separate SSH connections to my server in about 1 >>> minute. This triggers an alert for several "failed none" messages from the >>> IP address of my customers. The end result is AR blocks them because a rule >>> with severity of 12 gets launched, (multiple authentication failures >>> followed by a success) is there a way to filter out "failed none" messages >>> so that they do not get blocked by AR? I have already whitelisted them in >>> ossec.conf. >>> >>
