Topic: OSSEC / SME Question

[cyberwatcher]

We have been running SME as our mail server for a few years now and love it. I decided to use OSSEC on our machines here on our network. We have an issue regarding OSSEC active-response not adding offending IP's to the hosts.deny file. I test this by attempting to login to horde using multiple bad passwords and or usernames. I will get an email OSSEC email (alert) however the active-response does not seem to be fireing.

Any help on this would be great.

[cactus]

Any help on this would be great.

You description of the situation is too brief for people to start helping you. How did you implement it? Did you follow a certain instruction? Do you see any failure messages in log files or presented on screen, etc.?

Please keep in mind we can not look over your shoulder at your system and do not have a USB powered crystal ball.

[cyberwatcher]

Thank you for all of your sarcasm. The install is straight forward. I have an OSSEC Server, and the SME mail server has an agent installed on it. The agent talks back and fourth to the Server via a port which happens to be 1514 (encrypted) the logs which say login failure, occur from the /var/log/messeges and are pulled from the agent via the port already mentioned. Active Response does not work. Active Response is part of the server end which uses TCPWrapper to add an offending IP to the hosts.deny file (on the agent end).

Other installations (fedora, XP, Centos all work using the exact same agent and setup.)

I did not what to get to in depth until I knew if this could be added to this type of forum. Now that I have explained the installation what type of help can you give?

I have seen many forums with people in it that feel smarter than the people that are asking for help. There really is not need to be such a jerk.  just help.

[CharlieBrady]

I do not see cactus being a jerk. He did not understand what you wanted, and asked for more information. I do see you being a jerk, and won't be making any effort to help you with your problem.

Please come back when you are prepared to be polite and tolerant.

[Stefano]

Thank you for all of your sarcasm.

there's no sarcasm in cactus' answer.. you should really do

Code: [Select]

yum install irony

on your side

I did not what to get to in depth until I knew if this could be added to this type of forum. Now that I have explained the installation what type of help can you give?

if you ask for help, help us to help you.. I (and  cactus, and Charlie too) am very far from you, your server and your mind, so you should always think that we are "blind".. you have to give us as much details as you can..

There really is not need to be such a jerk.  just help.

this is a forum, not an helpdesk.. if you want an helpdesk service, contact me offline: I will ask you your data for the invoice and give you data to send me money.

otherwise, calm down and wait for someone to help you

* Stefano and.. maybe is summer coming..

[cactus]

Thank you for all of your sarcasm.

There is no sarcasm in my remarks, sarcasm means using words to damage or hurt someone, that was not my intention and I do not understand why you take them as such.

Please keep in mind that this is a free support forum, people like Charlie and me, as well many others, dedicate their free time to SME Server, your questions and the questions of others. We would gladly help you but you are wrong in assuming that we can magically help you if you just drop some terms, let alone do the work for you. As long as you do not pay me for your work, you have no saying over what I should do or how I should do it.

The install is straight forward.

Perhaps to you, certainly not to me.

the logs

Which logs?

which say login failure

Why not post a fragment of such log messages, perhaps there are more clues in there, again you keep us guessing. Even in answering my questions you were brief and not specific, why did you not post the error message?

Active Response does not work. Active Response is part of the server end which uses TCPWrapper to add an offending IP to the hosts.deny file (on the agent end).

Where is this running? Are there any configuration instructions?

Other installations (fedora, XP, Centos all work using the exact same agent and setup.)

Do not expect SME Server to be the same as any linux machine, although it is linux as well. To make SME Server configurable using server-manager and the internal configuration database there is something more to it. I suggest you study the SME Server Development Guide, which you can find in the wiki, this might get you on track.

I did not what to get to in depth until I knew if this could be added to this type of forum. Now that I have explained the installation what type of help can you give?

No help, as I already said we are not behind your system, so you need to give us something to work on... or if you have a hard time doing so, dig in your pockets and hire some SME Server consultant to do the work for you. Once again this is a free forum, so do not expect people to do your work.

I have seen many forums with people in it that feel smarter than the people that are asking for help. There really is not need to be such a jerk.

I think an apology from you would be in order here. I post a rely asking you to extend on your case and you start insulting people.

just help.

I will not just help as I do not have the proper information, nor an out of the box solution for ill or non-defined problems and certainly not when you behave in such a manor, more or less demanding help. Only the sun rises for free.

I suggest you do with my information in this post as you see fit, but my advice is to dig in to the SME Server Developers Guide and see where that takes you as you certainly got off on the wrong foot with me and I see no reason to dedicate more time, nor effort to this thread.

[cyberwatcher]

Cactus... your words made me feel like I fell on a cactus! Just kidding, I am sorry and feel bad that I was offended so easily. (your crystal ball comment) Please except my apology and if you are willing I can forward logs and research that I have done.

Originally I did not want to post all of the information until I knew if this was the proper forum. Sometimes third party software does not want to be discussed in certain forums therefore I did not want to waste anyone’s time.

So.... If you are willing, I will provide some information this evening when I get home. If not, I still am very sorry and stand corrected. It would not be the first time that I have placed my foot in my mouth.
I have done some research on this and it is installed and running great. Small issue needs resolved and I will continue to work on the issue and post results if I fix it so if someone else has this issue it could be of some help…. They may have to just scroll down until they find it though… Sorry.
 

[cactus]

Cactus... your words made me feel like I fell on a cactus! Just kidding, I am sorry and feel bad that I was offended so easily. (your crystal ball comment) Please except my apology and if you are willing I can forward logs and research that I have done.

No problem, apology accepted. Let's start with a clean slate.
Please post what you have done so far and what issues you are running into. Perhaps I and the other readers in the forum can give you a bump and a definitive write up can be made in the wiki and others might benefit from it as well, that is the community spirit we try to achieve at contribs.org/SME Server.

Originally I did not want to post all of the information until I knew if this was the proper forum. Sometimes third party software does not want to be discussed in certain forums therefore I did not want to waste anyone’s time.

A suggestion for the future is to ask that to the software vendor or in the forums you are posting to, might save you and others some frustration.

So.... If you are willing, I will provide some information this evening when I get home.

Go ahead.

I have done some research on this and it is installed and running great. Small issue needs resolved and I will continue to work on the issue and post results if I fix it so if someone else has this issue it could be of some help…. They may have to just scroll down until they find it though… Sorry.
 

We will gladly help you, but like I already stated you will have to do some heavy lifting yourself as well. If you are prepared to do so, you will most certainly notice these forums are worth the effort.

[CharlieBrady]

We have been running SME as our mail server for a few years now and love it. I decided to use OSSEC on our machines here on our network. We have an issue regarding OSSEC active-response not adding offending IP's to the hosts.deny file.

You don't tell us where "OSSEC active-response" is running or where the hosts.deny file is, but this sounds like an OSSEC issue. Have you asked on an OSSEC forum?

[CharlieBrady]

I have an OSSEC Server, and the SME mail server has an agent installed on it. The agent talks back and fourth to the Server via a port which happens to be 1514 (encrypted) the logs which say login failure, occur from the /var/log/messeges and are pulled from the agent via the port already mentioned. Active Response does not work. Active Response is part of the server end which uses TCPWrapper to add an offending IP to the hosts.deny file (on the agent end).

I expect that there is nobody here who can remotely troubleshoot the actions on an OSSEC agent.

If the OSSEC agent on the SME server is modifying the /etc/hosts.deny file on the server, you should be warned that that file is templated, and says:

#          !!DO NOT MODIFY THIS FILE!!

You should also be warned that many SME server services are not using TCPWrappers, so access to those services will not be affected to any changes to /etc/hosts.*.

[cyberwatcher]

Charlebrady you hit on the TCPwrappers and SME template issue. That is what i was thinking and wanted to confirm that.
I have to figure most of the OSSEC configuration and how to stuff myself. I just want to know if SME is capable to even use the Active-Response that ossec offers.

The Active Response is running on the ossec server (Centos5)
The hosts.deny file that needs to be edited is on the SME mail server.

As I have stated active-response is some XML scripting that takes an offending IP address and places it in the hosts.deny. It allows you to automatically execute “commands” or responses when a specific event or a set of events are triggered.

Here is an example email I got from my web server. The was google analytics (which I can baseline) and the IP was placed in the host.deny file for 10 minutes.
OSSEC HIDS Notification.
2010 Jun 01 03:35:01

Received From: (Fedora) 172.16.10.2->/var/log/httpd/access_log
Rule: 31151 fired (level 10) -> "Mutiple web server 400 error codes from same source ip."
Portion of the log(s):

66.242.17.45 - - [01/Jun/2010:03:21:43 -0400] "GET /wp-login.php HTTP/1.1" 404 297 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.242.17.45 - - [01/Jun/2010:03:21:43 -0400] "GET /wp-login.php HTTP/1.1" 404 295 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
I will forward what I have done in an attachment.
As far as ossec forums, I have not seen any with exception to google groups. They basically bombard you with email however some of the email is very helpful.

This is not an easy thing to be playing with I understand since SME is secured and locked down I do not expect an app just to be able to modify the files in question. (hosts.deny) so maybe I will be happy with what I have done and leave it at that. At least I am getting the alerts.  If you have any input feel free. Thanks to all.
MY Config:
<group name="local,syslog,proftpd,invalid_login,connection_attempt,authentication_success,authentication_failed">

  <!-- <!-- Modify it at your will. -->
Note that rule id 5711 is defined at the ssh_rules file
    -  as a ssh failed login. This is just an example
    -  since ip 1.1.1.1 shouldn't be used anywhere.
    -  Level 0 means ignore.
    -->

  <rule id="100001" level="0">
    <if_sid>5711</if_sid>
    <srcip>1.1.1.1</srcip>
    <description>Example of rule that will ignore sshd </description>
    <description>failed logins from IP 1.1.1.1.</description>
  </rule>

 <!-- proftpd no such user - invald_login group !the timeout helped with anonymous user IE issue-->
 <rule id="100002" level="9" frequency="4" timeframe="100">
  <if_matched_sid>11203</if_matched_sid>
  <options>alert_by_email</options>
  <same_source_ip />
  <description>Attempt to login using a non-existent user.</description>
 </rule>

  <!-- PAM - authentication_failures group -->
  <rule id="100003" level="10" frequency="8" timeframe="200">
   <if_sid>5551</if_sid>
   <if_matched_sid>5503</if_matched_sid>
   <options>alert_by_email</options>
/var/ossec/rules/local_rules.xml.bak2

  <!-- proftpd connection_attempt group --> (works)
  <rule id="100005" level="3">
    <if_sid>11201</if_sid>
    <match>FTP session opened.$</match>
    <options>alert_by_email</options>
    <description>FTP session opened.</description>
  </rule>


 <!-- proftpd authentication_success group (could never get to work)
 <rule id="100006" level="3">
    <if_sid>11205</if_sid>
    <match>Login successful</match>
    <options>alert_by_email</options>
    <description>FTP Authentication success.</description>
  </rule>
  -->

 <!-- VPN Login Alert netscreen -->
  <rule id="100007" level="3">
     <if_sid>4504</if_sid>
     <match>Completed negotiations with SPI</match>
     <options>alert_by_email</options>
     <description>Netscreen informational message.</description>
  </rule>

<!-- SSH Failures sshd authentication_failed group -->
  <rule id="100009" level="9" frequency="3" timeframe="30">
   <if_matched_sid>5716</if_matched_sid>
   <options>alert_by_email</options>
   <same_source_ip />
   <description>SSHD authentication failed.</description>
  </rule>

<!-- SSH Illegal User sshd invalid_login,authentication_failed group -->
  <rule id="100010" level="9">
    <if_sid>5710</if_sid>
    <match>illegal user|invalid user</match>
    <options>alert_by_email</options>
    <description>Attempt to login using a non-existent user</description>
  </rule>

 <!-- SYSLOG repeated login attempts - authentication_failed group --> (works for SSH logins)
  <rule id="100011" level="10">
   <if_sid>2502</if_sid>
   <match>more authentication failures;|REPEATED login failures</match>
   <options>alert_by_email</options>
   <description>User missed the password more than one time</description>
  </rule>

######################################################################## this is alerting but active-response not locking out. 
<!-- Horde Invalid Login syslog - authentication_failed group --> (Works however no lockout)
 <rule id="100012" level="10" frequency="3" timeframe="100">
  <if_matched_sid>2501</if_matched_sid>
  <match>FAILED LOGIN |authentication failure|</match>
  <match>Authentication failed for|invalid password for|</match>
  <match>LOGIN FAILURE|auth failure: |authentication error|</match>
  <match>authinternal failed|Failed to authorize|</match>
  <match>Wrong password given for|login failed|Auth: Login incorrect</match>
  <options>alert_by_email</options>
  <description>User authentication failure.</description>
 </rule>
##################################################################### SME Horde Email
 <!-- Horde Auth Passed syslog,acesscontrol group working on it --> (not Working)
  <rule id="100013" level="3">
   <if_sid>2506</if_sid>
   <match>^Authentication passed</match>
   <match>to {localhost:993</match>
   <options>alert_by_email</options>
   <description>Pop3 Authentication passed.</description>
  </rule>


 <!-- Horde authentication_success group Does Not Work working on it --> (not working)
  <rule id="100014" level="3">
   <if_sid>9305</if_sid>
   <match>Login success for</match>
   <options>alert_by_email</options>
   <description>authentication_success,</description>
  </rule>

<!-- imapd authentication_success group-->
 <rule id="100015" level="3">
  <if_sid>3602</if_sid>
  <match>Authenticated user=</match>
  <options>alert_by_email</options>
  <description>Imapd user login.</description>
 </rule>

</group> <!-- SYSLOG,LOCAL -->


<!-- EOF -->
(END)

[CharlieBrady]

As I have stated active-response is some XML scripting that takes an offending IP address and places it in the hosts.deny.

No, you didn't state that. There is no reference to XML scripting in anything you wrote.

What you are asking requires technical knowledge of OSSEC, and of SME server. You are essentially asking for OSSEC to be ported to the SME server target platform. Creating SME server support for OSSEC is not likely to be trivial. OSSEC's agent cannot directly modify hosts.deny, and access to many services is not controlled via hosts.deny anyway.

You will need to either:

- give up this project
- do a lot of reading and lots of experimenting

or

- pay someone with suitable experience and skills to do what you want done.

[cactus]

No, you didn't state that. There is no reference to XML scripting in anything you wrote.

I get the same impression as Charlie.

cyberwatcher, please be upfront if you expect us to help you. Share all information and not only the fragments you think might be relevant. I and others hate it when they try to wrap their head around a case and when they do and come up with a solution a new restriction or problem is added to the mix.
This process frustrates people and might eventually keep them from helping you, which is not in your interest.

[cyberwatcher]

Okay I will figure it out but thanks for your help. This is to much to explain at the moment as I am still learning the software. Once I have a better understanding of the software I may have an answer. As for now, no reason to waste anymore of your time.

Regards