ASL Security Events

[Choji]

Hi,

As I logged into ASL dashboard, I noticed I there was a large number of security events on our Plesk server - around 66 000.
I started black-listing some suspicious IPs, such as those that have been identified as frequent web attackers.

I was wondering whether there's a log file that contains records of all the security events as shown in the dashboard, because looking them up on the web interface isn't very easy or efficient.

I tried looking at audit_log, but when I did a line count with "wc -l", it only returned around 3000.

Also, do you have any good commands to run to make the suspicious IP identification easier? For example, give a list of IP's that cause a security event with its frequency in the log, perhaps.

Cheers,

Choji

[scott]

Not specifically, but a very long term repeat offender system is something we could use. The mysql db will store records for a fixed amount of time before archiving, and there are text logs under /var/ossec/logs as well.

I'd love to start seeing some user contributed modules being developed to handle things like that. If anyone ever needs some guidance on what to look for in the data fields, just ask here in the forums. It would be a great way to get some community collaboration going.

Example, someone sent a basic script for searching the mysql db for an IP from the command line:
http://www.atomicorp.com/contrib/aslsearch.php.gz

[Choji]

Thanks,

I'll look into the mysql db, but here's a command I've discovered that might be useful

cat /directory/audit_log | cut -d'[' -f3 | uniq -c | less

This command lists the IP addresses that were identified in audit_log and shows the number of occurrence.

cat opens the file
cut -d'[' -f3 trims the file so only the IP address is shown
uniq -c counts the entries and removes any duplicates
less allows you to scroll

This only shows the IP addresses and not their activities so you'll still need to check around.

Choji

[mikeshinn]

Keep in mind that audit_log is only the web events, that does not include any other events (brute force attacks, etc.)

[Choji]

Thanks,

It seems that
/var/ossec/logs/alerts/alerts.log
is the file that contains the security events that I've been looking for.

I've been using
cat /.../alerts.log | grep '^Src' | sort | uniq - c | less
to list the IPs and their frequency of security events associated with it.
I could then pick the most frequent IP, check who it is and blacklist as necessary.

Choji

[Choji]

Sometimes the IPs seem to be something that's mapped to IPv6.

like ::ffff:xx:xx:xx:xx

I'm not sure how to block these...

For example, I've been getting something like:

Rule: 40111 (level 10) -> 'Multiple authentication failures.'
Oct 31 12:21:09 server imapd: LOGIN FAILED, ip=[::ffff:xx.xx.xx.xx]
Oct 31 12:21:09 server imapd: LOGIN FAILED, ip=[::ffff:xx.xx.xx.xx]
Oct 31 12:21:09 server imapd: LOGIN FAILED, ip=[::ffff:xx.xx.xx.xx]
Oct 31 12:21:05 server imapd: IMAP connect from @ [::ffff:xx.xx.xx.xx]checkmailpasswd: FAILED: bobby - short names not allowed from @ [::ffff:xx.xx.xx.xx]IMAP connect f xx.xx.xx.xx]checkmailpasswd: FAILED: bogus - short names not allowed from @ [::ffff:xx.xx.xx.xx]ERR: LOGIN FAILED, ip=[::ffff:xx.xx.xx.xx]

Should I just treat it as an IPv4 address and just blacklist that?

asl -bl xx.xx.xx.xx

Would this work?