Slow SSH brute force rule not working

Support/Development for OSSEC
bradpwk
New Forum User
New Forum User
Posts: 1
Joined: Wed Nov 24, 2021 12:00 pm

Slow SSH brute force rule not working

Unread post by bradpwk »

Hi all,

OSSEC 3.6.0-12032
OS: Centos 7

I noticed that on one of the servers that I manage that it always has a lot of failed SSH logins. I have the default SSH rules enabled that works fine for most. On this particular server, I see that it gets these very slow brute force attacks. 1 request every 1 or 2 minutes from the same IP and this is too slow for the rules to pick up.

So I created the following rule to try to address that.

Code: Select all

  <rule id="100027" level="11" frequency="30" timeframe="14400">
    <if_matched_sid>5716</if_matched_sid>
    <same_source_ip />
    <description>Slow SSH Brute Force Attack.</description>
    <group>authentication_failures,</group>
  </rule>
So basically, this is a copy of rule 5720 which is triggered after 8 failed logins (rule 5716). I just changed it to look for 32 in a 4 hour window. But I noticed that it doesn't always trigger. Sometimes it does and sometimes it doesn't.

Looking into this more, I noticed that rule 5710 (invalid user) gets triggered a lot by these same bots. And I noticed that rule 5503 (PAM authentication failure) is triggered in almost all cases. So I changed it to match SID 5503 instead which does appear to work a little better. But still it's not triggering in all cases when it should.

I don't know if this is a bug or if I'm misunderstanding something about the way the rules trigger. I can say that when I run a test using ossec-logtest, it triggers every time on the 32nd time. So the test thinks it should work. And it does work sometimes. Here is a short analysis showing it working on an IP this morning.

Code: Select all

# grep '186.209.71.244' /var/ossec/logs/alerts/alerts.log -B1|grep Rule|awk '{print $2}' |sort|uniq -c|sort -nr
     31 5503
     28 5710
     18 5716
      1 100027

# grep 'Src IP: 186.209.71.244' /var/ossec/logs/alerts/alerts.log -B2|grep 'Rule: 5503' -B1|head -1
2021 Nov 24 07:42:58 servername->/var/log/secure

# grep 'Src IP: 186.209.71.244' /var/ossec/logs/alerts/alerts.log -B2|grep 'Rule: 100027' -B1|tail -2|head -1
2021 Nov 24 08:35:26 servername->/var/log/secure
As you can see, that IP triggered rule 5503 31 times and then on the 32nd time it triggered the custom rule. Yay! It worked perfectly. Now let's look at one that also should have triggered it but didn't.

Code: Select all

# grep '91.183.81.82' /var/ossec/logs/alerts/alerts.log -B1|grep Rule|awk '{print $2}' |sort|uniq -c|sort -nr
     40 5710
     38 5503
     18 5716

# grep 'Src IP: 91.183.81.82' /var/ossec/logs/alerts/alerts.log -B2|grep 'Rule: 5503' -B1|head -1
2021 Nov 24 00:02:15 servername->/var/log/secure

# grep 'Src IP: 91.183.81.82' /var/ossec/logs/alerts/alerts.log -B2|grep 'Rule: 5503' -B1|tail -2|head -1
2021 Nov 24 03:16:50 servername->/var/log/secure
You can see that this one triggered rule 5503 38 times in less than a 4 hour window but it did not trigger the custom rule and thus was not blocked at all.

At this point, I'm kind of stumped. It appears that I've set up everything correctly but it's still not working the way it is supposed to. Does anyone have any idea what I need to do to fix that?

And of course, if you need any info just let me know.

Thanks!
Post Reply