<group name="syslog,"> <rule id="100001" level="10"> <if_sid>5500</if_sid> <match>user=root$|user=admin$</match> <description>Root login attempted.</description> <group>authentication_failed,</group> </rule> <rule id="100002" level="10"> <if_sid>5700</if_sid> <match>^reverse mapping</match> <regex>failed - POSSIBLE BREAK</regex> <description>Reverse lookup error (bad ISP or attack).</description> </rule> </group>
Wednesday, June 4, 2014
OSSEC custom rules
I use and like OSSEC (http://www.ossec.net/) on all my machines, but to cut down on some of the noise, I have a few local rules. These first two block IP addresses immediately on bad ssh login attempts (for root and admin (I don't allow root logins on any machines -- that's why there is sudo)) -- no reason to wait for multiple attempts.