Re: [security-onion] security onion install banning ssh
678 views
Skip to first unread message
Doug Burks
Jan 19, 2013, 8:17:24 AM1/19/13
to securit...@googlegroups.com
Hi Jon,
Yes, OSSEC has Active Response enabled by default. You can
investigate the OSSEC logs to determine why it decided to block your
IP. You can then edit /var/ossec/etc/ossec.conf and add your IP to a
whitelist or disable Active Response altogether if so desired.
Doug
On Fri, Jan 18, 2013 at 6:45 PM, Jon <jo...@invtools.com> wrote:
> I've noticed this once or twice on previous remote installations but thought it might have been my fault, but it just happened again and I know I hadn't entered a wrong password or anything this time. I did a clean install of Ubuntu Server 12.04.1 32-bit on a remote server, putty'd in without a problem, updated, rebooted, putty'd in, added the ppas, updated, tried to ssh -X in from a linux VM on my machine and after entering the password the connection froze, my putty connection stopped responding at the same time. Managed to get a remote KVM connection to the server and iptables shows DROP rules for my IP address and my IP is also in /etc/hosts.drop. I had not done any firewall setup or installed fail2ban or anything like that. My best guess is that OSSEC is starting up with active response enabled as soon as the security onion packages are installed, before I've run sosetup, and somehow in it's unconfigured state is treating my ssh connection as an attack and banning my IP.
>
> Jon
>
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To post to this group, send email to securit...@googlegroups.com.
> To unsubscribe from this group, send email to security-onio...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
>
>
--
Doug Burks
http://securityonion.blogspot.com
Yes, OSSEC has Active Response enabled by default. You can
investigate the OSSEC logs to determine why it decided to block your
IP. You can then edit /var/ossec/etc/ossec.conf and add your IP to a
whitelist or disable Active Response altogether if so desired.
Doug
On Fri, Jan 18, 2013 at 6:45 PM, Jon <jo...@invtools.com> wrote:
> I've noticed this once or twice on previous remote installations but thought it might have been my fault, but it just happened again and I know I hadn't entered a wrong password or anything this time. I did a clean install of Ubuntu Server 12.04.1 32-bit on a remote server, putty'd in without a problem, updated, rebooted, putty'd in, added the ppas, updated, tried to ssh -X in from a linux VM on my machine and after entering the password the connection froze, my putty connection stopped responding at the same time. Managed to get a remote KVM connection to the server and iptables shows DROP rules for my IP address and my IP is also in /etc/hosts.drop. I had not done any firewall setup or installed fail2ban or anything like that. My best guess is that OSSEC is starting up with active response enabled as soon as the security onion packages are installed, before I've run sosetup, and somehow in it's unconfigured state is treating my ssh connection as an attack and banning my IP.
>
> Jon
>
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To post to this group, send email to securit...@googlegroups.com.
> To unsubscribe from this group, send email to security-onio...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
>
>
--
Doug Burks
http://securityonion.blogspot.com
Doug Burks
Jan 19, 2013, 1:08:34 PM1/19/13
to securit...@googlegroups.com
Yep, /var/ossec/rules/attack_rules.xml contains the following:
<!-- System users. They should never log in to the system -->
<var name="SYS_USERS">^apache$|^mysql$|^www$|^nobody$|^nogroup$|^portmap$|^named$|^rpc$|^mail$|^ftp$|^shutdown$|^halt$|^daemon$|^bin$|^postfix$|^shell$|^info$|^guest$|^psql$|^user$|^users$|^console$|^uucp$|^lp$|^sync$|^sshd$|^cdrom$|^ossec$</var>
<!-- Attack signatures -->
<group name="syslog,attacks,">
<rule id="40101" level="12">
<if_group>authentication_success</if_group>
<user>$SYS_USERS</user>
<description>System user successfully logged to the system.</description>
<group>invalid_login,</group>
</rule>
On Sat, Jan 19, 2013 at 12:54 PM, Jon <jo...@invtools.com> wrote:
> Looks like OSSEC doesn't like my username to be "user", considers it to be a system account.
>
> root@cosguil:/var/ossec/logs/alerts/2013/Jan# zgrep -B 2 -A 2 "16:30" ossec-alerts-18.log.gz
>
> ** Alert 1358548230.622: mail - syslog,attacks,invalid_login,
> 2013 Jan 18 16:30:30 cosguil->/var/log/auth.log
> Rule: 40101 (level 12) -> 'System user successfully logged to the system.'
> Src IP: x.x.x.25
> User: user
> Jan 18 16:30:30 cosguil sshd[5147]: Accepted password for user from x.x.x.25 port 59558 ssh2
>
> ** Alert 1358548230.940: - pam,syslog,authentication_success,
> 2013 Jan 18 16:30:30 cosguil->/var/log/auth.log
> Rule: 5501 (level 3) -> 'Login session opened.'
> Jan 18 16:30:30 cosguil sshd[5147]: pam_unix(sshd:session): session opened for user user by (uid=0)
<!-- System users. They should never log in to the system -->
<var name="SYS_USERS">^apache$|^mysql$|^www$|^nobody$|^nogroup$|^portmap$|^named$|^rpc$|^mail$|^ftp$|^shutdown$|^halt$|^daemon$|^bin$|^postfix$|^shell$|^info$|^guest$|^psql$|^user$|^users$|^console$|^uucp$|^lp$|^sync$|^sshd$|^cdrom$|^ossec$</var>
<!-- Attack signatures -->
<group name="syslog,attacks,">
<rule id="40101" level="12">
<if_group>authentication_success</if_group>
<user>$SYS_USERS</user>
<description>System user successfully logged to the system.</description>
<group>invalid_login,</group>
</rule>
On Sat, Jan 19, 2013 at 12:54 PM, Jon <jo...@invtools.com> wrote:
> Looks like OSSEC doesn't like my username to be "user", considers it to be a system account.
>
> root@cosguil:/var/ossec/logs/alerts/2013/Jan# zgrep -B 2 -A 2 "16:30" ossec-alerts-18.log.gz
>
> ** Alert 1358548230.622: mail - syslog,attacks,invalid_login,
> 2013 Jan 18 16:30:30 cosguil->/var/log/auth.log
> Rule: 40101 (level 12) -> 'System user successfully logged to the system.'
> Src IP: x.x.x.25
> User: user
> Jan 18 16:30:30 cosguil sshd[5147]: Accepted password for user from x.x.x.25 port 59558 ssh2
>
> ** Alert 1358548230.940: - pam,syslog,authentication_success,
> 2013 Jan 18 16:30:30 cosguil->/var/log/auth.log
> Rule: 5501 (level 3) -> 'Login session opened.'
> Jan 18 16:30:30 cosguil sshd[5147]: pam_unix(sshd:session): session opened for user user by (uid=0)
Reply all
Reply to author
Forward
0 new messages