Host blocked after one failed SSH attempt
220 views
Skip to first unread message
Ric Woodard
Dec 10, 2014, 4:53:29 PM12/10/14
to securit...@googlegroups.com
I haven't installed any other packages outside of what is shipped with SO and after one failed SSH login attempt, the host is added to hosts.deny and iptables -L -n shows the IP address and indicates that all traffic is to be dropped for that host.
I'm aware of fail2ban and DenyHosts but neither are installed. I'm not real sure what is causing this and it occurs even if I disable ufw altogether so I don't believe it is ufw/iptables.
When ufw is not active, nothing shows up when iptables -L -n is ran until a failed login and then it only shows that host for a period of time. Is there a script that I'm not aware of that would be monitoring /var/log/secure for failed attempts?
I'm aware of fail2ban and DenyHosts but neither are installed. I'm not real sure what is causing this and it occurs even if I disable ufw altogether so I don't believe it is ufw/iptables.
When ufw is not active, nothing shows up when iptables -L -n is ran until a failed login and then it only shows that host for a period of time. Is there a script that I'm not aware of that would be monitoring /var/log/secure for failed attempts?
Doug Burks
Dec 10, 2014, 4:56:14 PM12/10/14
to securit...@googlegroups.com
Hi Ric,
It's most likely OSSEC Active Response. To avoid being blocked, you
can add your workstation's IP address to OSSEC's whitelist in
/var/ossec/etc/ossec.conf:
http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.global.html#element-white_list
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Last day to register for 3-Day Training Class in Augusta GA is 12/11!
It's most likely OSSEC Active Response. To avoid being blocked, you
can add your workstation's IP address to OSSEC's whitelist in
/var/ossec/etc/ossec.conf:
http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.global.html#element-white_list
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Last day to register for 3-Day Training Class in Augusta GA is 12/11!
Ric Woodard
Dec 10, 2014, 5:05:19 PM12/10/14
to securit...@googlegroups.com
Thanks, that was it. You can see the shell scripts that it launches from /var/ossec/active-response/bin/ in the .conf file. I'll have to adjust it so it doesn't lock out after one attempt.
Thanks again
Thanks again
Reply all
Reply to author
Forward
0 new messages