Hi gang: I've been working hard to get up-to-date on OSSEC but as you all know, there's a lot to cover. I've read the docs on the website and have a copy of Brad Lhotsky's guide but am running into an issue in setup that I haven't quite figured out.
I have a test setup with a server named 'ossec' and an agent named 'logserver'. With the default install, if I run a brute force ssh password attack against 'logserver' I will get locked out of both machines after about 16 bad password attempts using medusa. Great! That's what I want it to do. Except that I don't want to be locked out from my own machine. I added my local subnet to the conf file on 'ossec'. root@ossec:/var/ossec/etc# head ossec.conf <ossec_config> <global> <email_notification>yes</email_notification> <email_to>root@localhost</email_to> <smtp_server>127.0.0.1</smtp_server> <email_from>ossecm@ossec</email_from> <white_list>192.168.2.0/24</white_list> </global> Once I did that I restarted both server and agent. Now when I run a password crack attempt from my machine I no longer get locked out, which is what I wanted, but I also don't see the attempt logged anywhere. I was under the impression that OSSEC would still log any rules that are violated by a whitelisted server. What am I missing? How can I log bad behavior from whitelisted systems without locking myself out? Thanks, Rick Chatham amco.me -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.