OSSEC 3.6.0-12032
OS: Centos 7
I noticed that on one of the servers that I manage that it always has a lot of failed SSH logins. I have the default SSH rules enabled that works fine for most. On this particular server, I see that it gets these very slow brute force attacks. 1 request every 1 or 2 minutes from the same IP and this is too slow for the rules to pick up.
So I created the following rule to try to address that.
Code: Select all
<rule id="100027" level="11" frequency="30" timeframe="14400">
<if_matched_sid>5716</if_matched_sid>
<same_source_ip />
<description>Slow SSH Brute Force Attack.</description>
<group>authentication_failures,</group>
</rule>
Looking into this more, I noticed that rule 5710 (invalid user) gets triggered a lot by these same bots. And I noticed that rule 5503 (PAM authentication failure) is triggered in almost all cases. So I changed it to match SID 5503 instead which does appear to work a little better. But still it's not triggering in all cases when it should.
I don't know if this is a bug or if I'm misunderstanding something about the way the rules trigger. I can say that when I run a test using ossec-logtest, it triggers every time on the 32nd time. So the test thinks it should work. And it does work sometimes. Here is a short analysis showing it working on an IP this morning.
Code: Select all
# grep '186.209.71.244' /var/ossec/logs/alerts/alerts.log -B1|grep Rule|awk '{print $2}' |sort|uniq -c|sort -nr
31 5503
28 5710
18 5716
1 100027
# grep 'Src IP: 186.209.71.244' /var/ossec/logs/alerts/alerts.log -B2|grep 'Rule: 5503' -B1|head -1
2021 Nov 24 07:42:58 servername->/var/log/secure
# grep 'Src IP: 186.209.71.244' /var/ossec/logs/alerts/alerts.log -B2|grep 'Rule: 100027' -B1|tail -2|head -1
2021 Nov 24 08:35:26 servername->/var/log/secure
Code: Select all
# grep '91.183.81.82' /var/ossec/logs/alerts/alerts.log -B1|grep Rule|awk '{print $2}' |sort|uniq -c|sort -nr
40 5710
38 5503
18 5716
# grep 'Src IP: 91.183.81.82' /var/ossec/logs/alerts/alerts.log -B2|grep 'Rule: 5503' -B1|head -1
2021 Nov 24 00:02:15 servername->/var/log/secure
# grep 'Src IP: 91.183.81.82' /var/ossec/logs/alerts/alerts.log -B2|grep 'Rule: 5503' -B1|tail -2|head -1
2021 Nov 24 03:16:50 servername->/var/log/secure
At this point, I'm kind of stumped. It appears that I've set up everything correctly but it's still not working the way it is supposed to. Does anyone have any idea what I need to do to fix that?
And of course, if you need any info just let me know.
Thanks!