HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (
-   Server Operation (
-   -   Ossec - log ssh brute force attack NOT WORK! (

adrenalinic 25th November 2008 01:55

Ossec - log ssh brute force attack NOT WORK!
Hello to heverybody!
(Howtoforge is the 1st my forum website! - A beautiful community!)

The problem!
On the my local vps i have a problem about the log and notification with OSSECC monitor of SSH brute force attack.

In the first time, there was a problem , a bug, with the bad ownership of btmp that create a strange log report about login failure

sshd[9595]: Excess permission or bad ownership on file /var/log/btmp

After i have "solved" with the change of permissions and ownership of btmp file,

chmod 600 /var/log/btmp

but now, when there is a login failure, only from unknow user of the system, there is not any log of the failure login and obviously OSSECC dont notify me an event that not exist!

If a know user perform a bad login the system notify correctly the failure login.

I have tested this, with a simulation of ssh bruteforce attack.


If there is any idea, i will be happy!


falko 25th November 2008 18:10

Did you check all log files?

adrenalinic 25th November 2008 18:18

oh yes i can check all,
and ossec notify me all alerts logged.

("i have checked, there are not rootkit or suspicios connection or listening process" ;) )

I have been verified also ..that the ssh chroot enviroment, use another openssl & ssh-chroot version in other path directory of default ssh configuration.


falko 26th November 2008 15:06

When you to log in with an unknown user, there's absolutely nothing in the logs? :confused:

All times are GMT +2. The time now is 00:57.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.