6

I am new to ossec. I installed the server and wui on a dedicated machine. I have agents running on my zookeeper and kafka servers to start.

Below are events I am seeing. I assume the are automated bots.

10 - User missed the password more than one time
10 - Multiple SSHD authentication failures.
5 - SSHD authentication failed.

So....one IP address is 222.186.62.17

So...did ossec ban the IP address? Is there anything I have to do to enable ossec to ban 222.186.62.17? Or enabled by default.

What about port scanning e.g. those that use nmap? Will they be banned?

I am looking for what works out of the box for protection via active response.

Tampa
  • 163
  • 1
  • 4

1 Answers1

7

With OSSEC ver. 2.7.1, ossec.conf (by default located in /var/ossec/etc) contains the following active response configuration:

<!-- Active Response Config -->
<active-response>
  <!-- This response is going to execute the host-deny
     - command for every event that fires a rule with
     - level (severity) >= 6.
     - The IP is going to be blocked for  600 seconds.
     -->
  <command>host-deny</command>
  <location>local</location>
  <level>6</level>
  <timeout>600</timeout>
</active-response>

<active-response>
  <!-- Firewall Drop response. Block the IP for
     - 600 seconds on the firewall (iptables,
     - ipfilter, etc).
     -->
  <command>firewall-drop</command>
  <location>local</location>
  <level>6</level>
  <timeout>600</timeout>
</active-response>

So any active OSSEC rule that fires with both a severity >= 6 and successful identification of the source IP will trigger the temporary blocking of the IP address (600 seconds by default). This is assuming you answered yes to the following server installation question:

  • Do you want to enable active response? (y/n) [y]:

In ossec-local.conf, you can see the active command dependencies (i.e. "expect = srcip"):

<command>
  <name>host-deny</name>
  <executable>host-deny.sh</executable>
  <expect>srcip</expect>
  <timeout_allowed>yes</timeout_allowed>
</command>

<command>
  <name>firewall-drop</name>
  <executable>firewall-drop.sh</executable>
  <expect>srcip</expect>
  <timeout_allowed>yes</timeout_allowed>
</command>

In /var/ossec/rules/syslog_rules.xml, you can find the rule that generated the User missed the password more than one time alert:

<rule id="2502" level="10">
  <match>more authentication failures;|REPEATED login failures</match>
  <description>User missed the password more than one time</description>
  <group>authentication_failed,</group>
</rule>

The rule definition above has a level (i.e. severity) of 10, so that should trigger the temporary IP block.

In /var/ossec/rules/sshd_rules.xml, you can find the rule that generated the Multiple SSHD authentication failures alert:

<rule id="5720" level="10" frequency="6">
  <if_matched_sid>5716</if_matched_sid>
  <same_source_ip />
  <description>Multiple SSHD authentication failures.</description>
  <group>authentication_failures,</group>
</rule>

Again, the above rule definition specifies level 10, so that should trigger the temporary IP block.

In /var/ossec/rules/sshd_rules.xml, you can find the rule that generated the SSHD authentication failed alert:

<rule id="5716" level="5">
  <if_sid>5700</if_sid>
  <match>^Failed|^error: PAM: Authentication</match>
  <description>SSHD authentication failed.</description>
  <group>authentication_failed,</group>
</rule>

The above rule definition specifies level 5, so this rule would not trigger the temporary IP block.

Port scanning with nmap will result in a temporary IP block based on this OSSEC rule (i.e. 10 connection attempts within 90 seconds, level 10 alert):

<!-- Scan signatures -->
  <group name="syslog,recon,">
    <rule id="40601" level="10" frequency="10" timeframe="90" ignore="90">
      <if_matched_group>connection_attempt</if_matched_group>
      <description>Network scan from same source ip.</description>
      <same_source_ip />
    </rule>
</group> <!-- SYSLOG,SCANS -->
Tate Hansen
  • 13,804
  • 3
  • 42
  • 84