Hi gang:
I've been working hard to get up-to-date on OSSEC but as you all know,
there's a lot to cover. I've read the docs on the website and have a copy
of Brad Lhotsky's guide but am running into an issue in setup that I
haven't quite figured out.
I have a test setup with a server named 'ossec' and an agent named
'logserver'. With the default install, if I run a brute force ssh password
attack against 'logserver' I will get locked out of both machines after
about 16 bad password attempts using medusa. Great! That's what I want it
to do. Except that I don't want to be locked out from my own machine.
I added my local subnet to the conf file on 'ossec'.
root@ossec:/var/ossec/etc# head ossec.conf
<ossec_config>
<global>
<email_notification>yes</email_notification>
<email_to>root@localhost</email_to>
<smtp_server>127.0.0.1</smtp_server>
<email_from>ossecm@ossec</email_from>
<white_list>192.168.2.0/24</white_list>
</global>
Once I did that I restarted both server and agent.
Now when I run a password crack attempt from my machine I no longer get
locked out, which is what I wanted, but I also don't see the attempt logged
anywhere. I was under the impression that OSSEC would still log any rules
that are violated by a whitelisted server.
What am I missing? How can I log bad behavior from whitelisted systems
without locking myself out?
Thanks,
Rick Chatham
amco.me
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
