Thanks @Brent. I added the logall option and temporarily removed the
whitelist.
<ossec_config>
<global>
<email_notification>yes</email_notification>
<email_to>root@localhost</email_to>
<smtp_server>127.0.0.1</smtp_server>
<email_from>ossecm@ossec</email_from>
<logall>yes</logall>
</global>
I'm now properly getting banned, but nothing is showing up in ossec.log.
Just in active-response.log. Is that the expected behavior? Because from
what I can tell stuff only shows up in the latter if some kind of action
was taken. (Thus when I institute whitelisting, nothing shows up anywhere
because no action was taken against the offending host.) Here are the logs:
root@ossec:/var/ossec/logs# tail ossec.log
2015/04/15 15:01:24 ossec-logcollector: INFO: Monitoring full output of
command(360): netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort
2015/04/15 15:01:24 ossec-logcollector: INFO: Monitoring full output of
command(360): last -n 5
2015/04/15 15:01:24 ossec-logcollector: INFO: Started (pid: 1620).
2015/04/15 15:02:24 ossec-execd: INFO: Active response command not present:
'/var/ossec/active-response/bin/restart-ossec.cmd'. Not using it on this
system.
2015/04/15 15:02:25 ossec-syscheckd: INFO: Starting syscheck scan
(forwarding database).
2015/04/15 15:02:25 ossec-syscheckd: INFO: Starting syscheck database
(pre-scan).
2015/04/15 15:08:27 ossec-syscheckd: INFO: Finished creating syscheck
database (pre-scan completed).
2015/04/15 15:08:39 ossec-syscheckd: INFO: Ending syscheck scan (forwarding
database).
2015/04/15 15:08:59 ossec-rootcheck: INFO: Starting rootcheck scan.
2015/04/15 15:11:53 ossec-rootcheck: INFO: Ending rootcheck scan.
root@ossec:/var/ossec/logs# tail active-responses.log
Thu Apr 9 13:57:34 PDT 2015 /var/ossec/active-response/bin/host-deny.sh
delete - 192.168.2.156 1428612423.40032 5551
Thu Apr 9 13:57:34 PDT 2015
/var/ossec/active-response/bin/firewall-drop.sh delete - 192.168.2.156
1428612423.40032 5551
Thu Apr 9 15:39:50 PDT 2015 /var/ossec/active-response/bin/host-deny.sh
add - 192.168.2.156 1428619190.55095 5551
Thu Apr 9 15:39:50 PDT 2015
/var/ossec/active-response/bin/firewall-drop.sh add - 192.168.2.156
1428619190.55095 5551
Thu Apr 9 15:50:22 PDT 2015 /var/ossec/active-response/bin/host-deny.sh
delete - 192.168.2.156 1428619190.55095 5551
Thu Apr 9 15:50:22 PDT 2015
/var/ossec/active-response/bin/firewall-drop.sh delete - 192.168.2.156
1428619190.55095 5551
Wed Apr 15 15:02:24 PDT 2015 /var/ossec/active-response/bin/host-deny.sh
add - 192.168.2.183 1429135344.10642 5551
Wed Apr 15 15:02:24 PDT 2015
/var/ossec/active-response/bin/firewall-drop.sh add - 192.168.2.183
1429135344.10642 5551
Wed Apr 15 15:12:57 PDT 2015 /var/ossec/active-response/bin/host-deny.sh
delete - 192.168.2.183 1429135344.10642 5551
Wed Apr 15 15:12:57 PDT 2015
/var/ossec/active-response/bin/firewall-drop.sh delete - 192.168.2.183
1429135344.10642 5551
Ideas?
Thanks,
Rick
On Wednesday, April 15, 2015 at 5:04:57 AM UTC-7, Brent Morris wrote:
>
> Add that logall option right in the <global> section and restart ossec.
>
> On Wednesday, April 15, 2015 at 2:07:02 AM UTC-7, ri...@amcoonline.net
> wrote:
>>
>> @brent Morris
>>
>> I don't have the option <logall> set on either the server or agent.
>> Which section does it go in?
>>
>> Here is the local_rules.xml from the server.
>> -----------------
>> <group name="local,syslog,">
>>
>> <!-- Note that rule id 5711 is defined at the ssh_rules file
>> - as a ssh failed login. This is just an example
>> - since ip 1.1.1.1 shouldn't be used anywhere.
>> - Level 0 means ignore.
>> -->
>> <rule id="100001" level="0">
>> <if_sid>5711</if_sid>
>> <srcip>1.1.1.1</srcip>
>> <description>Example of rule that will ignore sshd </description>
>> <description>failed logins from IP 1.1.1.1.</description>
>> </rule>
>>
>>
>> <!-- This example will ignore ssh failed logins for the user name
>> XYZABC.
>> -->
>> <!--
>> <rule id="100020" level="0">
>> <if_sid>5711</if_sid>
>> <user>XYZABC</user>
>> <description>Example of rule that will ignore sshd </description>
>> <description>failed logins for user XYZABC.</description>
>> </rule>
>> -->
>>
>>
>> <!-- Specify here a list of rules to ignore. -->
>> <!--
>> <rule id="100030" level="0">
>> <if_sid>12345, 23456, xyz, abc</if_sid>
>> <description>List of rules to be ignored.</description>
>> </rule>
>> -->
>>
>> </group> <!-- SYSLOG,LOCAL -->
>>
>>
>> <!-- EOF -->
>> --------------
>>
>> Thanks in advance,
>>
>> Rick
>>
>> On Tuesday, April 14, 2015 at 8:52:26 AM UTC-7, Brent Morris wrote:
>>>
>>> Do you have the <logall>yes</logall> option set in your ossec.conf?
>>>
>>> When I scan my ossec box, I see plenty of attempts in the archive.log...
>>>
>>>
>>> On Monday, April 13, 2015 at 5:26:15 PM UTC-7, ri...@amcoonline.net
>>> wrote:
>>>>
>>>> Hi gang:
>>>>
>>>> I've been working hard to get up-to-date on OSSEC but as you all know,
>>>> there's a lot to cover. I've read the docs on the website and have a copy
>>>> of Brad Lhotsky's guide but am running into an issue in setup that I
>>>> haven't quite figured out.
>>>>
>>>> I have a test setup with a server named 'ossec' and an agent named
>>>> 'logserver'. With the default install, if I run a brute force ssh
>>>> password
>>>> attack against 'logserver' I will get locked out of both machines after
>>>> about 16 bad password attempts using medusa. Great! That's what I want
>>>> it
>>>> to do. Except that I don't want to be locked out from my own machine.
>>>>
>>>> I added my local subnet to the conf file on 'ossec'.
>>>>
>>>> root@ossec:/var/ossec/etc# head ossec.conf
>>>> <ossec_config>
>>>>
>>>>
>>>>
>>>> <global>
>>>>
>>>> <email_notification>yes</email_notification>
>>>>
>>>> <email_to>root@localhost</email_to>
>>>>
>>>> <smtp_server>127.0.0.1</smtp_server>
>>>>
>>>> <email_from>ossecm@ossec</email_from>
>>>>
>>>> <white_list>192.168.2.0/24</white_list>
>>>>
>>>> </global>
>>>>
>>>>
>>>>
>>>>
>>>> Once I did that I restarted both server and agent.
>>>>
>>>> Now when I run a password crack attempt from my machine I no longer get
>>>> locked out, which is what I wanted, but I also don't see the attempt
>>>> logged
>>>> anywhere. I was under the impression that OSSEC would still log any rules
>>>> that are violated by a whitelisted server.
>>>>
>>>> What am I missing? How can I log bad behavior from whitelisted systems
>>>> without locking myself out?
>>>>
>>>> Thanks,
>>>>
>>>> Rick Chatham
>>>> amco.me
>>>>
>>>>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
