Home
  •  

Logon ssh com Falha (SUSE Linux Enterprise Server 9)

Microsoft.ACS.Linux.SLES.9.Ssh.Failed (Rule)

Regra para coletar eventos relacionados a logons ssh com falha

Knowledge Base article:

Resumo

Foi detectado um comando ssh malsucedido nos arquivos de log do sistema.

Causas

Não foi concedido ao usuário acesso ao sistema remotamente. Este monitor permite que os administradores de sistemas controlem o uso de 'ssh'.

Resoluções

A descrição do alerta e/ou do item de dados de saída contém informações sobre o evento encontrado. Se a atividade parecer suspeita, verifique os detalhes do evento relacionado e todos os outros eventos que ocorreram por volta do horário desse evento.

Element properties:

TargetMicrosoft.ACS.Linux.SLES.9.ACSEndPoint
CategoryEventCollection
EnabledTrue
Alert GenerateFalse
RemotableTrue

Member Modules:

ID Module Type TypeId RunAs 
EventDS DataSource Microsoft.Unix.SCXLog.Privileged.Datasource Default
WA WriteAction Microsoft.ACS.Unix.SecureEventLogWriter Default

Source Code:

<Rule ID="Microsoft.ACS.Linux.SLES.9.Ssh.Failed" Enabled="true" Target="Microsoft.ACS.Linux.SLES.9.ACSEndPoint" Remotable="true">

  <Category>EventCollection</Category>

  <DataSources>

    <DataSource ID="EventDS" TypeID="Unix!Microsoft.Unix.SCXLog.Privileged.Datasource">

      <Host>$Target/Host/Property[Type="Unix!Microsoft.Unix.Computer"]/NetworkName$</Host>

      <LogFile>/var/log/messages</LogFile>

      <!-- [TYPE] SUSE SSH False -->

      <!-- [INPUT] Nov 30 12:37:25 sles9v4-cjc sshd[11468]: error: PAM: Authentication failure for ccrammo from localhost -->

      <!-- [INPUT] Nov 30 12:37:40 sles9v4-cjc sshd[11474]: error: PAM: Authentication failure for root from localhost -->

      <!-- [INPUT] Nov 30 12:39:42 sles9v4-cjc sshd[11600]: error: PAM: Authentication failure for illegal user newguy from localhost -->

      <!-- [INPUT] Nov 30 12:40:05 sles9v4-cjc sshd[11621]: error: PAM: Authentication failure for illegal user root from localhost -->

      <!-- [EXPECTED] date="Nov 30 12:37:25"; hostname="sles9v4-cjc"; process="sshd"; processId="11468"; user="ccrammo"; clientHost="localhost" -->

      <!-- [EXPECTED] date="Nov 30 12:37:40"; hostname="sles9v4-cjc"; process="sshd"; processId="11474"; user="root"; clientHost="localhost" -->

      <!-- [EXPECTED] date="Nov 30 12:39:42"; hostname="sles9v4-cjc"; process="sshd"; processId="11600"; user="newguy"; clientHost="localhost" -->

      <!-- [EXPECTED] date="Nov 30 12:40:05"; hostname="sles9v4-cjc"; process="sshd"; processId="11621"; user="root"; clientHost="localhost" -->

      <RegExpFilter>sshd\s*\[[[:digit:]]+\]\s*:\s*error:\s*PAM:\s*Authentication\s+failure.*\s+\S+\s+from\s+\S+</RegExpFilter>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="WA" TypeID="ACS.Unix!Microsoft.ACS.Unix.SecureEventLogWriter">

      <RegExp>(?'date'\S+\s+\d+\s+\d+:\d+:\d+)\s+(?:\S+:)?(?'hostname'\S+)\s+(?'process'sshd)\s*\[(?'processId'\d+)\]\s*:\s*error:\s*PAM:\s*Authentication\s+failure.*\s+(?'user'\S+)\s+from\s+(?'clientHost'\S+)</RegExp>

      <EventType>0</EventType>

      <EventId>27003</EventId>

    </WriteAction>

  </WriteActions>

</Rule>