Monitoring OPNsense ssh login

[Stefano Casini]

Hi, 

I want to monitor the ssh access in a opnsense firewall where i have installed the last version of wazuh agent.

I have the agent installed and enrolled correctly, because i can see the log from this agent but if i try to login via ssh i can't see the log from sshd process.

Thank you in advance.

Stefano

[Nahuel Figueroa]

HI Stefano! 
where did you try to see the sshd logs from?

[Stefano Casini]

Okay i find the way to monitoring the log from sshd daemon.

After that i create decoder and rules to generate alert when there is a ssh connection attempt with failed status.

All that stuff work, so i decided to try to enable active response for that event.

So i configured in the wazuh manager the command and the active response :

<command>
    <name>opnsense-fw</name>
    <executable>opnsense-fw</executable>
    <timeout_allowed>yes</timeout_allowed>
  </command>

<active-response>
    <command>opnsense-fw</command>
    <location>local</location>
    <rules_id>570011</rules_id>
    <timeout>120</timeout>
  </active-response>

I write that following the opnsense guide for active response ->  https://docs.opnsense.org/manual/wazuh-agent.html.

When i try to do a lot of ssh connection with the wrong password i saw the alert in wazuh, but i think the active response doesn't work.

Someone can find the problem in my configuration or have the same truble?

PS. The agent configuration on opnsense have the active response enabled

[Nahuel Figueroa]

Hi Stefano! There are already native rules that detect the brute force attack, it is not necessary to create decoders or rules https://documentation.wazuh.com/current/proof-of-concept-guide/detect-brute-force-attack.html. regarding active response you can read this about how to block failed attempts using active response https://documentation.wazuh.com/current/user-manual/capabilities/active-response/ar-use-cases/blocking-ssh-brute-force.html