<group name="syslog,">
<rule id="100001" level="10">
<if_sid>5500</if_sid>
<match>user=root$|user=admin$</match>
<description>Root login attempted.</description>
<group>authentication_failed,</group>
</rule>
<rule id="100002" level="10">
<if_sid>5700</if_sid>
<match>^reverse mapping</match>
<regex>failed - POSSIBLE BREAK</regex>
<description>Reverse lookup error (bad ISP or attack).</description>
</rule>
</group>
Wednesday, June 4, 2014
OSSEC custom rules
I use and like OSSEC (http://www.ossec.net/) on all my machines, but to cut down on some of the noise, I have a few local rules. These first two block IP addresses immediately on bad ssh login attempts (for root and admin (I don't allow root logins on any machines -- that's why there is sudo)) -- no reason to wait for multiple attempts.
Subscribe to:
Posts (Atom)