Linode Forum
https://forum.linode.com/

OSSEC Level 2 Alert Messages Every 15-20 Minutes
https://forum.linode.com/viewtopic.php?f=19&t=9187		 Page 1 of 1
Author:  forumstalker [ Wed Jul 25, 2012 7:55 am ]
Post subject:  OSSEC Level 2 Alert Messages Every 15-20 Minutes
Hello,

I installed OSSEC and that went fine with no issues. However I seem to be getting the same type of email messages every 20 minutes or so. I didn't realize my IPtables were being tested this often. Is this normal? They are from various IPs around the world (some US, a lot of Asia like China, Taiwan, Japan etc) including an occasional mail server from Google.com which is interesting. And if Port# is represented by "SPT" that changes as well. Or is these are some sort of legitimate traffic Im blocking? And how can I diminish these types of reports? I'd like to get notified of important intrusions of course, but I'm going to become tone deaf after 500+ emails every day. Would be nice if OSSEC knew what it was.

Thank you.

[NOTE my IP redacted, I tried to provide a good enough sample below]

Received From: myhost->/var/log/syslog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

Jul 25 11:34:03 myhost kernel: iptables denied: IN=eth0 OUT= MAC=fe:fd:ad:ff:ed:12:88:43:e1:a4:04:ff:08:00 SRC=199.191.58.178 DST=XXX.XXX.XXX.XX LEN=44 TOS=0x00 PREC=0x00 TTL=49 ID=0 DF PROTO=TCP SPT=9966 DPT=9535 WINDOW=5840 RES=0x00 ACK SYN URGP=0

------------------------------------------------------------------------------------------------------------
Received From: myhost->/var/log/syslog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

Jul 25 11:25:13 myhost kernel: iptables denied: IN=eth0 OUT= MAC=fe:fd:ad:ff:ed:12:88:43:e1:a4:04:ff:08:00 SRC=222.73.49.159 DST=XXX.XXX.XXX.XX LEN=40 TOS=0x00 PREC=0x00 TTL=104 ID=256 PROTO=TCP SPT=6000 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0
------------------------------------------------------------------------------------------------------------
Received From: myhost->/var/log/syslog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

Jul 25 11:34:03 myhost kernel: iptables denied: IN=eth0 OUT= MAC=fe:fd:ad:ff:ed:12:88:43:e1:a4:04:ff:08:00 SRC=199.191.58.178 DST=XXX.XXX.XXX.XX LEN=44 TOS=0x00 PREC=0x00 TTL=49 ID=0 DF PROTO=TCP SPT=9966 DPT=9535 WINDOW=5840 RES=0x00 ACK SYN URGP=0

------------------------------------------------------------------------------------------------------------
Received From: myhost->/var/log/syslog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

Jul 25 11:25:13 myhost kernel: iptables denied: IN=eth0 OUT= MAC=fe:fd:ad:ff:ed:12:88:43:e1:a4:04:ff:08:00 SRC=222.73.49.159 DST=XXX.XXX.XXX.XX LEN=40 TOS=0x00 PREC=0x00 TTL=104 ID=256 PROTO=TCP SPT=6000 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0

------------------------------------------------------------------------------------------------------------
Received From: myhost->/var/log/syslog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

Jul 24 14:41:16 myhost kernel: iptables denied: IN=eth0 OUT= MAC=fe:fd:ad:ff:ed:12:88:43:e1:a4:04:ff:08:00 SRC=60.190.222.204 DST=XXX.XXX.XXX.XX LEN=40 TOS=0x00 PREC=0x00 TTL=107 ID=256 PROTO=TCP SPT=8162 DPT=3389 WINDOW=16384 RES=0x00 SYN URGP=0

------------------------------------------------------------------------------------------------------------
Received From: myhost->/var/log/syslog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

Jul 24 14:44:18 myhost kernel: iptables denied: IN=eth0 OUT= MAC=fe:fd:ad:ff:ed:12:88:43:e1:a4:04:ff:08:00 SRC=50.115.169.162 DST=XXX.XXX.XXX.XX LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=7189 PROTO=TCP SPT=36893 DPT=2222 WINDOW=65535 RES=0x00 SYN URGP=0
------------------------------------------------------------------------------------------------------------
Received From: myhost->/var/log/syslog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

Jul 25 02:07:33 myhost kernel: iptables denied: IN=eth0 OUT= MAC=fe:fd:ad:ff:ed:12:88:43:e1:a4:04:ff:08:00 SRC=1.34.22.39 DST=XXX.XXX.XXX.XX LEN=40 TOS=0x00 PREC=0x00 TTL=107 ID=11033 PROTO=TCP SPT=6000 DPT=25 WINDOW=16384 RES=0x00 SYN URGP=0

------------------------------------------------------------------------------------------------------------
Received From: myhost->/var/log/syslog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

Jul 25 02:08:32 myhost kernel: iptables denied: IN=eth0 OUT= MAC=fe:fd:ad:ff:ed:12:88:43:e1:a4:04:ff:08:00 SRC=27.156.182.194 DST=XXX.XXX.XXX.XX LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=51427 DF PROTO=TCP SPT=39408 DPT=32807 WINDOW=5440 RES=0x00 SYN URGP=0
------------------------------------------------------------------------------------------------------------
Author:  Nuvini [ Wed Jul 25, 2012 10:58 am ]
Post subject:  Re: OSSEC Level 2 Alert Messages Every 15-20 Minutes
I've never used OSSEC, but the warnings it gives are simply from iptables blocking access to certain ports. And yes, it's very common. I get them all day from all kinds of sources. Nothing special:)
Author:  Vance [ Thu Jul 26, 2012 5:08 am ]
Post subject:  Re: OSSEC Level 2 Alert Messages Every 15-20 Minutes
DPT, the destination port, is more interesting as it gives an indication of what they are trying to connect to.
Author:  NeonNero [ Thu Jul 26, 2012 5:31 am ]
Post subject:  Re: OSSEC Level 2 Alert Messages Every 15-20 Minutes
I'd say they're all scanning your server, attempting to break in. Of the services I can see in your sample extract, I can see they are trying to connect to LANDesk (remote management suite, DPT=9535), Microsoft SQL Server (DPT=1433), Windows Remote Desktop (RDP, aka. Terminal Services, DPT=3389), any possible SMTP server (DPT=25, most likely scanning for open relays), DirectAdmin/ESET Remote Admin (DPT=2222), and some unknown service running on TCP port 32807.

I've never used OSSEC myself, but I would assume there's a configuration option to suppress warnings about connections that have been blocked, or perhaps consolidate these warnings into a daily digest e-mail.
Author:  forumstalker [ Thu Jul 26, 2012 8:04 am ]
Post subject:  Re: OSSEC Level 2 Alert Messages Every 15-20 Minutes
Hi All,

Thanks for your responses. Your advice helps a great deal.

Best regards
J
Author:  jgjh151 [ Tue Dec 24, 2013 10:58 am ]
Post subject:  Re: OSSEC Level 2 Alert Messages Every 15-20 Minutes
forumstalker wrote:
Hi All,

Thanks for your responses. Your advice helps a great deal.

Best regards
J


How did you resolve this?
Author:  forumstalker [ Thu May 22, 2014 11:59 pm ]
Post subject:  Re: OSSEC Level 2 Alert Messages Every 15-20 Minutes
You know I never noticed your question until now. My deepest apologies. I have to change my forum settings here. I'm not sure how I resolved it back then. The alerts eventually went away and I completely forgot about them. Then today they came back all of a sudden. I go to research the issue again only to come across my very own forum post here :P

I found out that these errors are just port scanners and the IP Tables are just doing its thing. OSSEC is configured by default to send level 2 alerts (despite your email alert setting) on any "bad words" of which "denied" is one of them.

See references here:
https://groups.google.com/forum/#!msg/o ... xMc4bNXPUJ
viewtopic.php?t=4888
http://www.roastinghosting.com/blog/?p=18

Sorry again. Hope this helps anyone else who comes across this.
Author:  forumstalker [ Fri May 23, 2014 12:21 am ]
Post subject:  Re: OSSEC Level 2 Alert Messages Every 15-20 Minutes
The only thing that concerns me is how OSSEC reacts here. Found tons of these in my active-responses.log of OSSEC as below. Been happening for the past 3 hours or so.

Thu May 23:18:54 EDT 2014 /var/ossec/active-response/bin/firewall-drop.sh delete - XXX.XXX.XXX.XX 1400814985.57041 31533
Thu May 22 23:19:20 EDT 2014 /var/ossec/active-response/bin/host-deny.sh add - XXX.XXX.XXX.XX 1400815160.59437 31533


The obscured IP is my host domain IP. It seems OSSEC is blocking the server it lives on. Not sure what that means.
Page 1 of 1 All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/