Hi,
As I logged into ASL dashboard, I noticed I there was a large number of security events on our Plesk server - around 66 000.
I started black-listing some suspicious IPs, such as those that have been identified as frequent web attackers.
I was wondering whether there's a log file that contains records of all the security events as shown in the dashboard, because looking them up on the web interface isn't very easy or efficient.
I tried looking at audit_log, but when I did a line count with "wc -l", it only returned around 3000.
Also, do you have any good commands to run to make the suspicious IP identification easier? For example, give a list of IP's that cause a security event with its frequency in the log, perhaps.
Cheers,
Choji
ASL Security Events
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: ASL Security Events
Not specifically, but a very long term repeat offender system is something we could use. The mysql db will store records for a fixed amount of time before archiving, and there are text logs under /var/ossec/logs as well.
I'd love to start seeing some user contributed modules being developed to handle things like that. If anyone ever needs some guidance on what to look for in the data fields, just ask here in the forums. It would be a great way to get some community collaboration going.
Example, someone sent a basic script for searching the mysql db for an IP from the command line:
http://www.atomicorp.com/contrib/aslsearch.php.gz
I'd love to start seeing some user contributed modules being developed to handle things like that. If anyone ever needs some guidance on what to look for in the data fields, just ask here in the forums. It would be a great way to get some community collaboration going.
Example, someone sent a basic script for searching the mysql db for an IP from the command line:
http://www.atomicorp.com/contrib/aslsearch.php.gz
Re: ASL Security Events
Thanks,
I'll look into the mysql db, but here's a command I've discovered that might be useful
cat /directory/audit_log | cut -d'[' -f3 | uniq -c | less
This command lists the IP addresses that were identified in audit_log and shows the number of occurrence.
cat opens the file
cut -d'[' -f3 trims the file so only the IP address is shown
uniq -c counts the entries and removes any duplicates
less allows you to scroll
This only shows the IP addresses and not their activities so you'll still need to check around.
Choji
I'll look into the mysql db, but here's a command I've discovered that might be useful
cat /directory/audit_log | cut -d'[' -f3 | uniq -c | less
This command lists the IP addresses that were identified in audit_log and shows the number of occurrence.
cat opens the file
cut -d'[' -f3 trims the file so only the IP address is shown
uniq -c counts the entries and removes any duplicates
less allows you to scroll
This only shows the IP addresses and not their activities so you'll still need to check around.
Choji
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: ASL Security Events
Keep in mind that audit_log is only the web events, that does not include any other events (brute force attacks, etc.)
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: ASL Security Events
Thanks,
It seems that
/var/ossec/logs/alerts/alerts.log
is the file that contains the security events that I've been looking for.
I've been using
cat /.../alerts.log | grep '^Src' | sort | uniq - c | less
to list the IPs and their frequency of security events associated with it.
I could then pick the most frequent IP, check who it is and blacklist as necessary.
Choji
It seems that
/var/ossec/logs/alerts/alerts.log
is the file that contains the security events that I've been looking for.
I've been using
cat /.../alerts.log | grep '^Src' | sort | uniq - c | less
to list the IPs and their frequency of security events associated with it.
I could then pick the most frequent IP, check who it is and blacklist as necessary.
Choji
Re: ASL Security Events
Sometimes the IPs seem to be something that's mapped to IPv6.
like ::ffff:xx:xx:xx:xx
I'm not sure how to block these...
For example, I've been getting something like:
like ::ffff:xx:xx:xx:xx
I'm not sure how to block these...
For example, I've been getting something like:
Should I just treat it as an IPv4 address and just blacklist that?Rule: 40111 (level 10) -> 'Multiple authentication failures.'
Oct 31 12:21:09 server imapd: LOGIN FAILED, ip=[::ffff:xx.xx.xx.xx]
Oct 31 12:21:09 server imapd: LOGIN FAILED, ip=[::ffff:xx.xx.xx.xx]
Oct 31 12:21:09 server imapd: LOGIN FAILED, ip=[::ffff:xx.xx.xx.xx]
Oct 31 12:21:05 server imapd: IMAP connect from @ [::ffff:xx.xx.xx.xx]checkmailpasswd: FAILED: bobby - short names not allowed from @ [::ffff:xx.xx.xx.xx]IMAP connect f xx.xx.xx.xx]checkmailpasswd: FAILED: bogus - short names not allowed from @ [::ffff:xx.xx.xx.xx]ERR: LOGIN FAILED, ip=[::ffff:xx.xx.xx.xx]
Would this work?asl -bl xx.xx.xx.xx