View Single Post
  #1  
Old 25th November 2008, 00:55
adrenalinic adrenalinic is offline
Senior Member
 
Join Date: Jan 2006
Posts: 187
Thanks: 3
Thanked 3 Times in 3 Posts
Question Ossec - log ssh brute force attack NOT WORK!

Hello to heverybody!
(Howtoforge is the 1st my forum website! - A beautiful community!)

The problem!
On the my local vps i have a problem about the log and notification with OSSECC monitor of SSH brute force attack.

In the first time, there was a problem , a bug, with the bad ownership of btmp that create a strange log report about login failure

sshd[9595]: Excess permission or bad ownership on file /var/log/btmp

After i have "solved" with the change of permissions and ownership of btmp file,

chmod 600 /var/log/btmp

but now, when there is a login failure, only from unknow user of the system, there is not any log of the failure login and obviously OSSECC dont notify me an event that not exist!

If a know user perform a bad login the system notify correctly the failure login.

I have tested this, with a simulation of ssh bruteforce attack.



If there is any idea, i will be happy!

Thanks!
Regards,
Josef.

Last edited by adrenalinic; 25th November 2008 at 01:01.
Reply With Quote
Sponsored Links