[ossec-list] Host-based anomaly detection event (rootcheck)

[llehirgen]

I use dokku in a Ubuntu 18.04 LTS machine.
I received the following alerts concerning files hidden in a long list of 
directories:

Rule: 510 fired (level 7) -> "Host-based anomaly detection event 
(rootcheck)."
Portion of the log(s):

Files hidden inside directory 
'/var/lib/docker/overlay2/c3ee7713915112e9bd1df6d423cc6e2dd35a6d1c9871daae8c53054c05408516/merged/usr/share/man'
. Link count does not match number of files (26,1).

Then again:
Files hidden inside directory 
'/var/lib/docker/overlay2/c3ee7713915112e9bd1df6d423cc6e2dd35a6d1c9871daae8c53054c05408516/merged/usr/share/dpkg'
. Link count does not match number of files (2,1).

And so on for a list of 104 directories, like '/var/lib/docker/overlay2/c3ee
7713915112e9bd1df6d423cc6e2dd35a6d1c9871daae8c53054c05408516/merged/usr/sbin' 
or '/var/lib/docker/overlay2/c3ee7713915112e9bd1df6d423cc6e2dd3
5a6d1c9871daae8c53054c05408516/merged/usr/bin' etc etc

How am I expected to interpret these alerts? What am I expected to do?


-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/4a32402e-71c6-4b0c-92bb-3007b742ac19%40googlegroups.com.

[ossec-list] How to check new files added to the file system.

[llehirgen]

I recently made a local installation of Ossec in a Ubuntu 18.04 server and 
added a 554 rule in /var/ossec/rules/local_rules.xml as follows, as 
suggested in Ossec documentation 

 
for alerting on new files:


  ossec
  syscheck_new_entry
  File added to the system.
  syscheck,


Straight after Ossec started, I received an email by Ossec alerting me that 
new files were added to the file system.
So my rule works.
Now, how can I check if these files were added by a legitimate system 
upgrade?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/5945643a-204e-4ae7-97ab-24c96d29d21f%40googlegroups.com.

[ossec-list] max ssh connection attempts

[llehirgen]

I installed OSSEC HIDS in a Ubuntu 18.04 LTS server in a Virtualbox virtual 
machine, for testing purposes.
After OSSEC I installed fail2ban and started to test it.
fail2ban is configured by me for banning an IP after 4 wrong login attempts 
via ssh.
So, I tried to ssh connect to my server from another virtual machine, and 
after 3 attempts (not 4) I was disconnected and apparently banned for about 
600 seconds.
Now, I wondering what could be happened.
It cannot be fail2ban to have banned me, because fail2ban registered only 2 
attempts and did not ban me.
Is it perhaps OSSEC configured by default to ban an IP after 3 wrong ssh 
login attempts?
I could not find documentation.
I noticed that fail2ban enters into play only if there is long time between 
two failed ssh login attempts.


-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/8311356f-deeb-4286-aaac-ac5192ccec2a%40googlegroups.com.

Re: [ossec-list] Is gmail silently dropping my OSSEC email alerts?

[llehirgen]

I tried with /usr/sbin/ssmtp as the smtp server but nothing changed, I 
still am not receiving alerts

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/fc0d18c4-710b-4089-bf35-d9df0db07f88%40googlegroups.com.

Re: [ossec-list] Is gmail silently dropping my OSSEC email alerts?

[llehirgen]

>
> It doesn't look like ssmtp is an actual daemon. So instead of using 
> '127.0.0.1' as the smtp server, you should probably use something like 
> '/usr/sbin/ssmtp' 
> I don't know what flags or anything you might need with it though, 
> I've never used it. 
>
> I will try with /usr/sbin/ssmtp
However I would like to point out that I received the first two 
notifications via email, so it does not look as a configuration issue

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/33f91415-4dfb-49da-84f1-8eaa6e8571a1%40googlegroups.com.

Re: [ossec-list] Is gmail silently dropping my OSSEC email alerts?

[llehirgen]

On Friday, September 27, 2019 at 4:51:20 PM UTC+2, dan (ddpbsd) wrote:

>
> Is ssmtp listening on 127.0.0.1 port 25? 
>
>
I honestly do not know what port is ssmtp listening on.
I used sudo netstat -tulpn and got 5 program names: systemd-resolve, sshd, 
sshd, systemd-resolve, systemd-network
I could not find documentation on which port is ssmtp listening.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/383895b0-0672-427c-998f-acf1d4f46a4c%40googlegroups.com.

[ossec-list] Is gmail silently dropping my OSSEC email alerts?

[llehirgen]

 

I am testing OSSEC HIDS in a Virtual machine on Ubuntu 18.04 server. 
First of all I installed and configured ssmtp as follows:


root=my...@gmail.com 
mailhub=smtp.gmail.com:587 
rewriteDomain=gmail.com 
hostname=localhost 
TLS_CA_FILE=/etc/ssl/certs/ca-certificates.crt 
UseTLS=Yes 
UseSTARTTLS=Yes 
AuthUser=my...@gmail.com 
AuthPass=password 
AuthMethod=LOGIN 
FromLineOverride=yes
 

Emails from command line are sent and received, however there are some 
issues with OSSEC email alerts. 
Below is part of /var/ossec/etc/ossec.conf:



yes
my...@gmail.com
127.0.0.1
ossecm@myserver
1

 

According to OSSEC's documentation the software should sent an email at 
startup and when it stops. I received an email after the first startup, in 
the spam folder, probably because the email_from directive was set to an 
invalid email address. That email contained two notifications, one about 
"Partition usage reached 100% (disk space monitor)." and the other about 
OSSEC start. So I told Gmail that that was not spam, I changed the 
email_from directive to my...@gmail.com, stopped OSSEC and restarted it. 
Unfortunately that was the only alert I received. After that I stopped and 
started OSSEC several times without receiving any email alert. I do not 
understand why this happens: am I blackholed by Gmail? As I said emails 
from command line are received without issues. Would OSSEC receive the same 
treatment on a production server with valid domain? 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/87b79ecd-e30a-4c7d-a9f4-50701bb9a519%40googlegroups.com.

[ossec-list] ssmtp, gmail and smtp server

[llehirgen]

I installed ssmtp on Ubuntu and configured it to use smtp.gmail.com on port 
587 as mail server.
My intention is to send all local emails (OSSEC, rkhunter and fail2ban) to 
a gmail account.
What am I expect to write during installation when asked about SMTP server?
What value do I have to use for the 'smtp_server' directive in ossec.conf?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/384ebb57-52ef-421d-a12d-390004df3398%40googlegroups.com.

[ossec-list] ssmtp, gmail and smtp server

[llehirgen]

I installed ssmtp on Ubuntu and configured it to use smtp.gmail.com on port 
587 as mail server.
My intention is to send all local emails (OSSEC, rkhunter and fail2ban) to 
a gmail account.
What am I expect to write during installation when asked about SMTP server?
What value do I have to use for the 'smtp_server' directive in ossec.conf?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/e99b6f9f-00a3-4cc5-a94d-e20343405e3c%40googlegroups.com.

[ossec-list] ssmtp, gmail and smtp server

[llehirgen]

I installed ssmtp on Ubuntu and configured it to use smtp.gmail.com on port 
587 as mail server.
My intention is to send all local emails (OSSEC, rkhunter and fail2ban) to 
a gmail account.
What am I expect to write during installation when asked about SMTP server?
What value do I have to use for the 'smtp_server' directive in ossec.conf?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/f9d7aba4-7fbb-4783-9972-e281748a3145%40googlegroups.com.

[ossec-list] ssmtp, gmail and smtp server

[llehirgen]

I installed ssmtp on Ubuntu and configured it to use smtp.gmail.com on port 
587 as mail server.
My intention is to send all local emails (OSSEC, rkhunter and fail2ban) to 
a gmail account.
What am I expect to write during installation when asked about SMTP server?
What value do I have to use for the 'smtp_server' directive in ossec.conf?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/7994af0b-e01e-40da-aacb-7f68a9cf10de%40googlegroups.com.

[ossec-list] ssmtp, gmail and smtp server

[llehirgen]

I installed ssmtp on Ubuntu and configured it to use smtp.gmail.com on port 
587 as mail server.
My intention is to send all local emails (OSSEC, rkhunter and fail2ban) to 
a gmail account.
What am I expect to write during installation when asked about SMTP server?
What value do I have to use for the 'smtp_server' directive in ossec.conf?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/3bb9fe7f-0a70-4c90-a3db-484c23c131ed%40googlegroups.com.

[ossec-list] ssmtp, gmail and smtp server

[llehirgen]

I installed ssmtp on Ubuntu and configured it to use smtp.gmail.com on port 
587 as mail server.
My intention is to send all local emails (OSSEC, rkhunter and fail2ban) to 
a gmail account.
What am I expect to write during installation when asked about SMTP server?
What value do I have to use for the 'smtp_server' directive in ossec.conf?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/1d26ef74-afbe-4af2-9b90-36724101c3d6%40googlegroups.com.

[ossec-list] ssmtp, gmail and smtp server

[llehirgen]

I installed ssmtp on Ubuntu and configured it to use smtp.gmail.com on port 
587 as mail server.
My intention is to send all local emails (OSSEC, rkhunter and fail2ban) to 
a gmail account.
What am I expect to write during installation when asked about SMTP server?
What value do I have to use for the 'smtp_server' directive in ossec.conf?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ossec-list/5cd14b51-227d-4707-82d9-c842622b5c6b%40googlegroups.com.