Ossec - log ssh brute force attack NOT WORK!

Discussion in 'Server Operation' started by adrenalinic, Nov 25, 2008.

  1. adrenalinic

    adrenalinic New Member HowtoForge Supporter

    Hello to heverybody!
    (Howtoforge is the 1st my forum website! - A beautiful community!)

    The problem!
    On the my local vps i have a problem about the log and notification with OSSECC monitor of SSH brute force attack.

    In the first time, there was a problem , a bug, with the bad ownership of btmp that create a strange log report about login failure

    sshd[9595]: Excess permission or bad ownership on file /var/log/btmp

    After i have "solved" with the change of permissions and ownership of btmp file,

    chmod 600 /var/log/btmp

    but now, when there is a login failure, only from unknow user of the system, there is not any log of the failure login and obviously OSSECC dont notify me an event that not exist!

    If a know user perform a bad login the system notify correctly the failure login.

    I have tested this, with a simulation of ssh bruteforce attack.

    :confused:

    If there is any idea, i will be happy!

    Thanks!
    Regards,
    Josef.
     
    Last edited: Nov 25, 2008
  2. falko

    falko Super Moderator ISPConfig Developer

    Did you check all log files?
     
  3. adrenalinic

    adrenalinic New Member HowtoForge Supporter

    oh yes i can check all,
    and ossec notify me all alerts logged.


    ("i have checked, there are not rootkit or suspicios connection or listening process" ;) )


    I have been verified also ..that the ssh chroot enviroment, use another openssl & ssh-chroot version in other path directory of default ssh configuration.

    thanks.
     
    Last edited: Nov 25, 2008
  4. falko

    falko Super Moderator ISPConfig Developer

    When you to log in with an unknown user, there's absolutely nothing in the logs? :confused:
     

Share This Page