Wednesday, June 4, 2014

OSSEC custom rules

I use and like OSSEC ( on all my machines, but to cut down on some of the noise, I have a few local rules. These first two block IP addresses immediately on bad ssh login attempts (for root and admin (I don't allow root logins on any machines -- that's why there is sudo)) -- no reason to wait for multiple attempts.
<group name="syslog,">

  <rule id="100001" level="10">
    <description>Root login attempted.</description>

  <rule id="100002" level="10">
    <match>^reverse mapping</match>
    <regex>failed - POSSIBLE BREAK</regex>
    <description>Reverse lookup error (bad ISP or attack).</description>


No comments: