Wednesday, June 4, 2014

OSSEC custom rules

I use and like OSSEC (http://www.ossec.net/) on all my machines, but to cut down on some of the noise, I have a few local rules. These first two block IP addresses immediately on bad ssh login attempts (for root and admin (I don't allow root logins on any machines -- that's why there is sudo)) -- no reason to wait for multiple attempts.
<group name="syslog,">

  <rule id="100001" level="10">
    <if_sid>5500</if_sid>
    <match>user=root$|user=admin$</match>
    <description>Root login attempted.</description>
    <group>authentication_failed,</group>
  </rule>

  <rule id="100002" level="10">
    <if_sid>5700</if_sid>
    <match>^reverse mapping</match>
    <regex>failed - POSSIBLE BREAK</regex>
    <description>Reverse lookup error (bad ISP or attack).</description>
  </rule>

</group>