Is it possible to add exclusions for specific hosts/agents
Posted: Fri May 07, 2021 8:41 am
Hi,
we are piloting OSSEC install, we have a server set up with several agents in place. Trying to filter out the "white noise" to get it down to a normal state.
All these servers are Linux hosts running SSH, however only one of them is publicly accessible.
I'd like to add an exclusion rule for this and a few others, but only on this one host. This is completely normal and expected, we do have fail2ban installed as well on all hosts to block after a number of failed attempts.
We will of course be investigating a way to have OSSEC warn of of successes which is actually more concerning.
Received From: (hostname) 1.2.3.4 ->/var/log/secure
Rule: 2502 fired (level 10) -> "User missed the password more than one time"
Src IP: 221.181.185.19
User: root
Portion of the log(s):
May 7 05:24:12 hostname sshd[31009]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.181.185.19 user=root
we are piloting OSSEC install, we have a server set up with several agents in place. Trying to filter out the "white noise" to get it down to a normal state.
All these servers are Linux hosts running SSH, however only one of them is publicly accessible.
I'd like to add an exclusion rule for this and a few others, but only on this one host. This is completely normal and expected, we do have fail2ban installed as well on all hosts to block after a number of failed attempts.
We will of course be investigating a way to have OSSEC warn of of successes which is actually more concerning.
Received From: (hostname) 1.2.3.4 ->/var/log/secure
Rule: 2502 fired (level 10) -> "User missed the password more than one time"
Src IP: 221.181.185.19
User: root
Portion of the log(s):
May 7 05:24:12 hostname sshd[31009]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.181.185.19 user=root