SSH Brute Force Attacks and Alerting

438 views
Skip to first unread message

Ben Ruset

unread,
May 2, 2007, 2:42:45 PM5/2/07
to ossec...@ossec.net
Please forgive me in advance if this is too much of a newbie question.

I have OSSEC configured with four agents and a server. I am getting
bombarded with alerts about ssh brute force attacks. I'm pretty sure
that any host connected to the internet that runs some form of ssh
daemon gets brute force attempts all the time, and as such I am not
terribly concerned.

What I'm finding, though, is that it's hard to deal with legitimate
alerts when there are so many alerts generated for attempted ssh logins.

My config has this:

<alerts>
<log_alert_level>1</log_alert_level>
<email_alert_level>7</email_alert_level>
</alerts>

which I presume to be "don't email me about events >7." Well, all of my
ssh alerts register at level 10.

Ideally, I'd only like to get alerts from when someone logs into the
system (these aren't shell boxes for people, so it's semi unusual for
people to log into them) or alerted based on brute force + successful
login as seen here: (http://www.ossec.net/en/loganalysis.html#auth4)

Do I have a flawed understanding of how the rule alerting works? Is
there something I need to configure specifically to change OSSEC's sshd
rules to only alert me on login and/or on brute force + successful login?

Thanks,

-ben

Tommy May

unread,
May 2, 2007, 3:01:32 PM5/2/07
to ossec...@googlegroups.com, ossec...@ossec.net, Ben Ruset
This was very helpful to me....(thanks to Daniel Cid)

http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules

This isn't just to ignore rules...this also tells you that you can ignore all rules "unless it matches a very specific pattern".

Hope this is helpful.

Tommy

Ben Ruset

unread,
May 2, 2007, 9:03:34 PM5/2/07
to ossec...@googlegroups.com, ossec...@ossec.net
Well, am I right in assuming that the config should stop all rules
greater than level 7 from being emailed?

Is rule level 1 more servere than rule level 16?

Thanks,
-ben

Daniel Cid

unread,
May 2, 2007, 10:11:39 PM5/2/07
to ossec...@googlegroups.com, Ben Ruset
Hi Ben,

On ossec, level 1 is the least severe and level 15 the highest one. Basically,
in your configuration you are alerting on everything higher and equal
to level 7.

If you don't want to receive e-mail alerts from these rules, you have
three options:

-Reduce the level from them (see link that Tommy suggested).
-Set no_email_alert option on the rule*.
-Increase the e-mail alerting level (to 11 or higher).

*http://www.ossec.net/en/manual.html#rules

Example of setting the no_email_alert option:

<rule id="5712" level="10" frequency="6" timeframe="120" ignore="60">
<if_matched_sid>5710</if_matched_sid>
<description>SSHD brute force trying to get access to </description>
<description>the system.</description>
<options>no_email_alert</options>
<group>authentication_failures,</group>
</rule>

Hope it helps.

--
Daniel B. Cid
dcid ( at ) ossec.net

Reply all
Reply to author
Forward
0 new messages