search

ossec / ossec-hids

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
http://www.ossec.net
Other
4.5k stars 1.04k forks source link

Ossec ip ban issue simultaneous connections #1028

Open Pietia10 opened 7 years ago

Pietia10 commented 7 years ago

When you set 10 simultaneous connections in filezilla in both global settings and in sitemanager and you try to copy alot of files over SFTP protocol you get banned from rule Rule: 5551 (level 10) -> 'Multiple failed logins in a small period of time.' . This issue is in trunk and in stable version.

ddpbsd commented 7 years ago

@Pietia10 What should the default be?

Pietia10 commented 7 years ago

Default should not ban the client as it was running a good password so it shouldn't ban the ip in that case.

ddpbsd commented 7 years ago

Can you provide log samples that triggered this? It should only be triggered by auth failures, not successes.

Pietia10 commented 7 years ago

Log looks like this; ** Alert 1485183336.53876: mail - pam,syslog,authentication_failures, 2017 Jan 23 15:55:36 host1->/var/log/secure Rule: 5551 (level 10) -> 'Multiple failed logins in a small period of time.' Src IP: 10.76.17.255 User: koko Jan 23 15:55:34 host1 sshd[29500]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.76.17.255 user=koko Jan 23 15:55:34 host1 sshd[29495]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.76.17.255 user=koko Jan 23 15:55:34 host1 sshd[29497]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.76.17.255 user=koko Jan 23 15:55:34 host1 sshd[29501]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.76.17.255 user=koko Jan 23 15:55:34 host1 sshd[29493]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.76.17.255 user=koko Jan 23 15:55:34 host1 sshd[29498]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.76.17.255 user=koko Jan 23 15:55:28 host1 sshd[29476]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.76.17.255 user=koko Jan 23 15:55:18 host1 sshd[29457]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.76.17.255 user=koko

Pietia10 commented 7 years ago

I know you see here authentication failure but I tested by myself with filezilla it is not correct with 10 simultaneous connections .

ddpbsd commented 7 years ago

Well if the logs say there is an auth failure, I'm not sure what we an change to accommodate for this failure in pam(?). Modifying the rules to prevent this specific use case could affect actual authentication failures that people want to prevent. Is it possible some of the logins are blocked by pam/sshd? Maybe some kind of rate limiting thing?