13

I have a rule that is set up like so;

In /etc/sec/rules.d I have;

type=SingleWithSuppress
ptype=regexp
pattern=(\S+) sshd\[\d+\]: PAM \d+ more authentication failures\; logname=.* uid=.* euid=.* tty=ssh ruser=.* rhost=(.*) user=(.*)
desc=Login Failure: $0
action=pipe '%s ' /bin/mail -s "login failure $2 to $3@$1" team@team.com
window=300

So if this came through syslog;

Nov 21 11:24:10 servername.server.com sshd[26846]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost= user=kloggins

It should match this (which, it does according to my regex editor) according to the pattern;

servername.server.com sshd[26846]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost= user=kloggins

We were having an issue with spam because the timestamp was changing. So I rewrote the pattern to match everything after the hostname.

However, this doesn't seem to be working and every time a user "authentication fails", I still get an e-mail.

I've been using the following to test;

logger -p syslog.err 'sshd[26846]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost= user='

Any ideas? I might just be misunderstanding sec. This is the first time I'm working with it! Any help would be greatly appreciated. Thanks!

Ethabelle
  • 2,052
  • 14
  • 20

1 Answers1

11

Well, after almost a day of hair pulling, I finally understand a) how to do it and b) a misconception I have about sec.

In reading the sec man page and it describes desc= as essentially showing the match. So in my mind, that meant it should show whatever was matched in pattern. Well, yes, that is true, in this case the match in that pattern is the; hostname, rhost, and user.

So when I'm doing desc= Login Failure: $0 , I'm keying off the entire line. That's bad.

So instead I changed it to key off the username and hostname, which then causes it to adhere to the window=300 rule since the timestamp (entire line) wasn't changing; aka, the following rundown;

/etc/sec/rules.d/ssh.sec

type=SingleWithSuppress
ptype=regexp
pattern=(\S+) sshd\[\d+\]: PAM \d+ more authentication failures\; logname=.* uid=.* euid=.* tty=ssh ruser=.* rhost=(.*) user=(.*)
desc=Login Failure: $3@$1
action=pipe '%s $0' /bin/mail -s "Login Failure: $3@$1" email@email.com
window=300

Error Line

Nov 21 01:58:10 test.test.com sshd[26846]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=test.test.com user=kloggins

It will notice the user kloggins@test.test.com and will not report on it unless it happens again after 300 seconds, because it keyed off kloggins@test.test.com.

I've tested it several times now, it's a 'werkin.

Ethabelle
  • 2,052
  • 14
  • 20
  • 1
    Nice work on that. – Magellan Nov 22 '14 at 06:26
  • 4
    Hear, here. +1 from me both for an excellent, well-written, well-research and scoped question, and for coming back and posting a details answer after you'd had the needed epiphany! Thank you. – MadHatter Nov 22 '14 at 07:55