3

I'm running OSSEC as a HIDS on a Ubuntu 12.10 server, and it routinely (3-4x a day) sends me a notification like this: (note the last octet of the IP address has been changed to 'xxx' to protect the guilty)

OSSEC HIDS Notification.
2013 Nov 21 15:10:43

Received From: localhost->/var/log/auth.log
Rule: 2502 fired (level 10) -> "User missed the password more than one time"
Portion of the log(s):

Nov 21 15:10:41 localhost sshd[3594]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.147.74.xxx user=root

--END OF NOTIFICATION

I am the only (legitimate) user on the server, and I have PermitRootLogin no set in my /etc/ssh/sshd_config. So, sending me an alert everytime somebody fails to ssh in as root is pointless.

I found where OSSEC rule 2502 is defined in /var/ossec/rules/syslog_rules.xml as:

  <rule id="2502" level="10">
    <match>more authentication failures;|REPEATED login failures</match>
    <description>User missed the password more than one time</description>
    <group>authentication_failed,</group>
  </rule>

I'd prefer not to disable this rule altogether, as it would be very helpful to know if there are attempted logins that fail to my username. I just need it to not email me when the username in question is root.

Cristian Ciupitu
  • 6,226
  • 2
  • 41
  • 55
tkrajcar
  • 163
  • 6

1 Answers1

7

Add the following to your ยด/var/ossec/rules/local_rules.xml`. 

<rule id="100001" level="10">
  <if_sid>2502</if_sid>
  <description>Suppress email from failed login attempts</description>
  <options>no_email_alert</options>
</rule>

This way no email is sent from the alert (<options>no_email_alert</options>) but it is still flagged at level 10 and triggers appropriate active response.

Ketola
  • 311
  • 1
  • 3