3

I'm running OSSEC as a HIDS on a Ubuntu 12.10 server, and it routinely (3-4x a day) sends me a notification like this: (note the last octet of the IP address has been changed to 'xxx' to protect the guilty)

OSSEC HIDS Notification.
2013 Nov 21 15:10:43

Received From: localhost->/var/log/auth.log
Rule: 2502 fired (level 10) -> "User missed the password more than one time"
Portion of the log(s):

Nov 21 15:10:41 localhost sshd[3594]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.147.74.xxx user=root

--END OF NOTIFICATION

I am the only (legitimate) user on the server, and I have PermitRootLogin no set in my /etc/ssh/sshd_config. So, sending me an alert everytime somebody fails to ssh in as root is pointless.

I found where OSSEC rule 2502 is defined in /var/ossec/rules/syslog_rules.xml as:

  <rule id="2502" level="10">
    <match>more authentication failures;|REPEATED login failures</match>
    <description>User missed the password more than one time</description>
    <group>authentication_failed,</group>
  </rule>

I'd prefer not to disable this rule altogether, as it would be very helpful to know if there are attempted logins that fail to my username. I just need it to not email me when the username in question is root.

1 Answer 1

8

Add the following to your ´/var/ossec/rules/local_rules.xml`.

<rule id="100001" level="10">
  <if_sid>2502</if_sid>
  <description>Suppress email from failed login attempts</description>
  <options>no_email_alert</options>
</rule>

This way no email is sent from the alert (<options>no_email_alert</options>) but it is still flagged at level 10 and triggers appropriate active response.

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .