Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 25th November 2008, 00:55
adrenalinic adrenalinic is offline
Senior Member
 
Join Date: Jan 2006
Posts: 187
Thanks: 3
Thanked 3 Times in 3 Posts
Question Ossec - log ssh brute force attack NOT WORK!

Hello to heverybody!
(Howtoforge is the 1st my forum website! - A beautiful community!)

The problem!
On the my local vps i have a problem about the log and notification with OSSECC monitor of SSH brute force attack.

In the first time, there was a problem , a bug, with the bad ownership of btmp that create a strange log report about login failure

sshd[9595]: Excess permission or bad ownership on file /var/log/btmp

After i have "solved" with the change of permissions and ownership of btmp file,

chmod 600 /var/log/btmp

but now, when there is a login failure, only from unknow user of the system, there is not any log of the failure login and obviously OSSECC dont notify me an event that not exist!

If a know user perform a bad login the system notify correctly the failure login.

I have tested this, with a simulation of ssh bruteforce attack.



If there is any idea, i will be happy!

Thanks!
Regards,
Josef.

Last edited by adrenalinic; 25th November 2008 at 01:01.
Reply With Quote
Sponsored Links
  #2  
Old 25th November 2008, 17:10
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,740 Times in 2,575 Posts
Default

Did you check all log files?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 25th November 2008, 17:18
adrenalinic adrenalinic is offline
Senior Member
 
Join Date: Jan 2006
Posts: 187
Thanks: 3
Thanked 3 Times in 3 Posts
Default

oh yes i can check all,
and ossec notify me all alerts logged.


("i have checked, there are not rootkit or suspicios connection or listening process" )


I have been verified also ..that the ssh chroot enviroment, use another openssl & ssh-chroot version in other path directory of default ssh configuration.

thanks.

Last edited by adrenalinic; 25th November 2008 at 17:27.
Reply With Quote
  #4  
Old 26th November 2008, 14:06
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,740 Times in 2,575 Posts
 
Default

When you to log in with an unknown user, there's absolutely nothing in the logs?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Help! Why do I see message about Apache, CPanel & WHM. I don't run cpanel! websissy Installation/Configuration 3 18th November 2008 22:16
missing webalizer stats bolero Installation/Configuration 15 12th November 2008 16:28
user login via ssh doesn't work utopic_men HOWTO-Related Questions 5 12th May 2008 18:30
Preventing Brute Force Attacks With Fail2ban On Debian Etch Jarek Buczyński HOWTO-Related Questions 6 10th August 2007 19:23
How to install BFD (Brute Force Detection) domino Tips/Tricks/Mods 9 31st March 2006 22:40


All times are GMT +2. The time now is 08:33.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.