#76 Le 15/09/2010, à 11:32
- MaryPopy
Re : OSSEC > NEW Détection d'intrusion + Rootcheck [solution]
Il y a quoi ligne 94 ? Ba si tu veux voir l'interface graphique ton serveur web doit tourner car si il ne tourne pas tu n'affichera rien. Ton rootcheck de OSSEC ? en ligne de commande tu as reussi (je suis preneur) ? Il te mets quoi ?
Pour l'afichage rootcheck il a mis ça :
** Starting Rootcheck v0.9 by Daniel B. Cid **
** http://www.ossec.net/en/about.html#dev-team **
** http://www.ossec.net/rootcheck/ **
Be patient, it may take a few minutes to complete...
[INFO]: Starting rootcheck scan.
[OK]: No presence of public rootkits detected. Analyzed 268 files.
[FAILED]: Trojaned version of file '/bin/login' detected. Signature used: 'bash|elite|SucKIT|xlogin|vejeta|porcao|lets_log|sukasuk' (Generic).
[INFO]: System Audit: CIS - Testing against the CIS Debian Linux Benchmark v1.0. File: /etc/debian_version. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .
[INFO]: System Audit: CIS - Debian Linux 1.4 - Robust partition scheme - /tmp is not on its own partition. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .
[INFO]: System Audit: CIS - Debian Linux 1.4 - Robust partition scheme - /opt is not on its own partition. File: /opt. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .
[INFO]: System Audit: CIS - Debian Linux 1.4 - Robust partition scheme - /var is not on its own partition. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .
[INFO]: System Audit: CIS - Debian Linux 2.3 - SSH Configuration - Root login allowed. File: /etc/ssh/sshd_config. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .
[INFO]: System Audit: CIS - Debian Linux 2.4 - System Accounting - Sysstat not installed. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .
[INFO]: System Audit: CIS - Debian Linux 2.4 - System Accounting - Sysstat not enabled. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .
[INFO]: System Audit: CIS - Debian Linux 2.5 - System harderning - Bastille is not installed. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .
[INFO]: System Audit: CIS - Debian Linux 7.2 - Removable partition /media without 'nodev' set. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .
[INFO]: System Audit: CIS - Debian Linux 7.2 - Removable partition /media without 'nosuid' set. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .
[INFO]: System Audit: CIS - Debian Linux 7.3 - User-mounted removable partition /media. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .
[OK]: No problem detected on the /dev directory. Analyzed 576 files
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/ossec_conf.php' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/js/calendar-en.js' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/js/calendar.js' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/js/calendar-setup.js' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/js/prototype.js' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/js/hide.js' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/tmp/.htaccess' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/LICENSE' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/setup.sh' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/README' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/img/donate.gif' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/img/calendar.gif' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/img/191x81.jpg' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/img/ossecLogo.png' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/img/background.png' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/img/ossec_webui.jpg' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/README.search' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/.htaccess' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/css/css.css' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/css/cal.css' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/css/images/arrow.gif' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/css/images/hr_tag_sep.gif' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/css/images/hr_title_sep.gif' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/css/images/favicon.ico' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/css/images/pagebg.gif' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/site/syscheck.php' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/site/search.php' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/site/main.php' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/site/.htaccess' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/site/footer.html' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/site/header.html' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/site/user_mapping.php' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/site/stats.php' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/site/searchfw.php' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/site/help.php' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/lib/os_lib_syscheck.php' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/lib/os_lib_stats.php' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/lib/os_lib_util.php' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/lib/os_lib_firewall.php' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/lib/os_lib_alerts.php' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/lib/.htaccess' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/lib/Ossec/Alert.php' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/lib/Ossec/AlertList.php' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/lib/Ossec/Histogram.php' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/lib/ossec_categories.php' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/lib/os_lib_agent.php' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/lib/ossec_formats.php' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/lib/os_lib_mapping.php' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/.htpasswd' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/index.php' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/CONTRIB' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/htaccess_def.txt' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/remastersys-2.0.17/build_stamp' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/remastersys-2.0.17/README' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/remastersys-2.0.17/remastersys-gui' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/remastersys-2.0.17/debian/postrm' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/remastersys-2.0.17/debian/postinst' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/remastersys-2.0.17/debian/remastersys.1' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/remastersys-2.0.17/debian/prerm' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/remastersys-2.0.17/debian/dirs' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/remastersys-2.0.17/debian/changelog' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/remastersys-2.0.17/debian/compat' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/remastersys-2.0.17/debian/rules' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/remastersys-2.0.17/debian/preinst' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/remastersys-2.0.17/debian/copyright' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/remastersys-2.0.17/debian/docs' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/remastersys-2.0.17/debian/control' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/remastersys-2.0.17/etcdata/remastersys.conf' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/remastersys-2.0.17/etcdata/remastersys/remastersys.version' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/remastersys-2.0.17/etcdata/remastersys/preseed/custom.seed' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/remastersys-2.0.17/remastersys.1.gz' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/remastersys-2.0.17/desktopdata/remastersys-gui.desktop' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/remastersys-2.0.17/desktopdata/remastersys-gui-kde.desktop' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/root/.local/share/Trash/files/remastersys-2.0.17/desktopdata/remastersys.png' is:
- owned by root,
- has written permissions to anyone.
[FAILED]: File '/var/log/ntop/access.log' is:
- owned by root,
- has written permissions to anyone.
[ERR]: Check the following files for more information:
rootcheck-rw-rw-rw-.txt (list of world writable files)
rootcheck-rwxrwxrwx.txt (list of world writtable/executable files)
rootcheck-suid-files.txt (list of suid files)
[OK]: No hidden process by Kernel-level rootkits.
/bin/ps is not trojaned. Analyzed 32768 processes.
[OK]: No kernel-level rootkit hiding any port.
Netstat is acting correctly. Analyzed 131072 ports.
[OK]: The following ports are open:
22 (tcp),68 (udp),111 (tcp),111 (udp),
631 (tcp),736 (udp),3000 (tcp),5353 (udp),
34515 (udp),38976 (udp),56167 (tcp)
[OK]: No problem detected on ifconfig/ifs. Analyzed 2 interfaces.
- Scan completed in 18 seconds.
[INFO]: Ending rootcheck scan.
Pour le serveur, éteins je sais que sa n'affiche pas. Ma question est, doit-il tourner toujours ? Mais ma question étais stupide.
Pour la ligne 94, il y a surement un code que OSSEC n'arrive pas à atteindre. JE m'y remettrais ce soir ou le week prochain.
Dernière modification par MaryPopy (Le 15/09/2010, à 11:36)
Photographe : http://www.vouillamozweb.ch
Hors ligne
#77 Le 15/09/2010, à 11:35
- el_profesor
Re : OSSEC > NEW Détection d'intrusion + Rootcheck [solution]
Tu as taper quoi pour avoir ça ? Au depart il te dit qu'il n'a pas trouvé de rootkit mais apres il te met une erreur. Et plein après. C'est bizarre en effet. Mais sinon pour ton erreur de xampp il y a quoi ligne 94 ?
Hors ligne
#78 Le 15/09/2010, à 11:37
- MaryPopy
Re : OSSEC > NEW Détection d'intrusion + Rootcheck [solution]
Pour avoir ça tu dois suivre mon tuto : http://forum.ubuntu-fr.org/viewtopic.ph … 3#p3725713
Et la commande sera
ossec-rootcheck -c /var/rootcheck-2.4/rootcheck.conf
Ca prend 10 min à installer. Même pas.
Dernière modification par MaryPopy (Le 15/09/2010, à 11:44)
Photographe : http://www.vouillamozweb.ch
Hors ligne
#79 Le 15/09/2010, à 11:40
- el_profesor
Re : OSSEC > NEW Détection d'intrusion + Rootcheck [solution]
Ouai ba là je ne sais pas t'aider. Pour moi c'est bizarre mais bon je le fais par l'interface graphique et moi il ne me trouve rien de speciale.
Hors ligne
#80 Le 15/09/2010, à 11:42
- MaryPopy
Re : OSSEC > NEW Détection d'intrusion + Rootcheck [solution]
C'est ça que je trouve étrange. Chez moi les commandes de l'HIDS ne m'affichent rien. Alors que je devrais avoir les résultat comme avec l'interface graphique. Bon, je pencherais sur la question plus tard.
J'obtiens les alertes et tout, les Upgrades... Ce dont je parle en page 1... Mais pas les rapports comme indiqué dans le manuel.
Je vais réinstaller en mettant mon IP Local en plus du 127.0.0.1.
Merci a+
Dernière modification par MaryPopy (Le 15/09/2010, à 11:52)
Photographe : http://www.vouillamozweb.ch
Hors ligne
#81 Le 15/09/2010, à 11:57
- el_profesor
Re : OSSEC > NEW Détection d'intrusion + Rootcheck [solution]
Moi lorsque je fais /var/ossec/bin/rootcheck_control -i 004 (004 pour mon id d'un agent ossec) et bien ça fonctionne.
Hors ligne
#82 Le 15/09/2010, à 14:09
- MaryPopy
Re : OSSEC > NEW Détection d'intrusion + Rootcheck [solution]
Je n'ai que 000 comme ID Agent. Le localhost quoi !
Je ferais des test ce soir.
En attendant je suis toujours preneur si qqn à une solution à mon erreur :
Warning: opendir(/var/ossec) [function.opendir]: failed to open dir: Permission non accordée in /opt/lampp/htdocs/ossec-wui/lib/os_lib_handle.php on line 94
Unable to access ossec directory.
Je suis convaincu que c'est une histoire de droit vu que c'est dit. Apache ne parvien pas a voir ossec c'est ça ? Il n a pas accès. Mais je ne trouve pas la solution. Je lui est mis comme mon /var/ossec, un chown root:ossec. Mais c'est pas ça.
Dernière modification par MaryPopy (Le 15/09/2010, à 14:17)
Photographe : http://www.vouillamozweb.ch
Hors ligne
#83 Le 15/09/2010, à 15:46
- el_profesor
Re : OSSEC > NEW Détection d'intrusion + Rootcheck [solution]
Donc tu as intallé OSSEC en temps que local ?
Lors de ton erreur il te dit ".php on line 94" Il y a quoi à cette ligne ?
Hors ligne
#84 Le 15/09/2010, à 15:51
- MaryPopy
Re : OSSEC > NEW Détection d'intrusion + Rootcheck [solution]
J te poste la ligne ce soir. Si tu as mis aussi ossec-wui je suppose qu'on à la même ligne.
Qqn sur ce site à le même problème mais la solution n'a pas été trouvée.
http://groups.google.com/group/ossec-li … b90e04d146
Dernière modification par MaryPopy (Le 15/09/2010, à 16:02)
Photographe : http://www.vouillamozweb.ch
Hors ligne
#85 Le 15/09/2010, à 16:04
- el_profesor
Re : OSSEC > NEW Détection d'intrusion + Rootcheck [solution]
Ouai je ne vois rien de spécial à cet endroit. Tiens je te poste quand meme ce que j'ai moi.
if($dh = opendir($dir))
{
closedir($dh);
$ossec_handle{'dir'} = $dir;
$ossec_handle{'agent_dir'} = $dir."/queue/agent-info";
return($ossec_handle);
}
return(NULL);
Hors ligne
#86 Le 15/09/2010, à 16:13
- MaryPopy
Re : OSSEC > NEW Détection d'intrusion + Rootcheck [solution]
Le problème viens du faite que l'accès à /var/ossec est interdit par Apache.
J'ai posé la question ici : http://forum.ubuntu-fr.org/viewtopic.ph … 0#p3729350
Dernière modification par MaryPopy (Le 15/09/2010, à 16:55)
Photographe : http://www.vouillamozweb.ch
Hors ligne
#87 Le 16/09/2010, à 18:45
- hartman
Re : OSSEC > NEW Détection d'intrusion + Rootcheck [solution]
Salut,
Dans un premier temps, j'ai trouvé l'idée du rootchecker assez séduisante. Pouvoir le lancer n'importe quand, c'est appréciable.
Cependant, j'ai été obligé de modifier le fichier /var/rootcheck-2.4/rootcheck.conf et remplacer les chemins relatifs par des chemins absolu, sinon rootcheck ne trouvait pas les fichiers de la database.
Un seule soucis sur le rootcheck, quelques faux positif (le bin/login, et les 22 premiers port tcp en hidden // Mouais).
Pour ce qui est d'ossec, j'ai pu tester "un peu" avec Nessus, mais j'aurais souhaiter trouver un outils plus méchant.
J'ai donc configuré ma policie Nessus avec un peu tout ce qu'il y avait, et j'ai lancé le scan.
Nessus a commencé par un scan de port, puis un brut force ssh, et ensuite quelques connexions ftp.
Malheureusement, les autres tests n'ont servi à rien, Ossec a créé 2 règles iptables (INPUT et OUTPUT) pour droper tout ce qui venait ou allait sur la machine hôte Nessus .
Pour continuer les tests, j'ai whitelisté la machine Nessus, et j'ai relancé avec en prime un port ouvert et bindé sur un bash (avec netcat).
J'étais assez déçus, parce que ça n'a pas changé grand chose, Nessus a vu 5 "failles" plus ou moins inexploitable niveau réseau (je tient à préciser que la machine était une VM et que je n'ai rien fait de particulier dessus, le proftpd a été installé et est utilisé brut de décoffrage, pas de règles iptables, un sshd "d'origine", etc ...).
Voilà le rapport de Ossec (conf PAR DEFAULT sauf le syscheck !):
2010 Sep 15 19:45:23 Rule Id: 5502 level: 3
Location: ubuntu-test->/var/log/auth.log
Login session closed.
Sep 15 19:45:22 ubuntu-test proftpd: pam_unix(proftpd:session): session closed for user ftp_user
2010 Sep 15 19:45:23 Rule Id: 5501 level: 3
Location: ubuntu-test->/var/log/auth.log
Login session opened.
Sep 15 19:45:22 ubuntu-test proftpd: pam_unix(proftpd:session): session opened for user ftp_user by (uid=0)
2010 Sep 15 19:45:23 Rule Id: 5502 level: 3
Location: ubuntu-test->/var/log/auth.log
Login session closed.
Sep 15 19:45:11 ubuntu-test proftpd: pam_unix(proftpd:session): session closed for user ftp_user
2010 Sep 15 19:45:07 Rule Id: 5502 level: 3
Location: ubuntu-test->/var/log/auth.log
Login session closed.
Sep 15 19:45:07 ubuntu-test proftpd: pam_unix(proftpd:session): session closed for user ftp_user
2010 Sep 15 19:45:07 Rule Id: 5501 level: 3
Location: ubuntu-test->/var/log/auth.log
Login session opened.
Sep 15 19:45:07 ubuntu-test proftpd: pam_unix(proftpd:session): session opened for user ftp_user by (uid=0)
2010 Sep 15 19:45:07 Rule Id: 5502 level: 3
Location: ubuntu-test->/var/log/auth.log
Login session closed.
Sep 15 19:45:06 ubuntu-test proftpd: pam_unix(proftpd:session): session closed for user ftp_user
2010 Sep 15 19:45:07 Rule Id: 5501 level: 3
Location: ubuntu-test->/var/log/auth.log
Login session opened.
Sep 15 19:45:06 ubuntu-test proftpd: pam_unix(proftpd:session): session opened for user ftp_user by (uid=0)
2010 Sep 15 19:45:03 Rule Id: 2503 level: 5
Location: ubuntu-test->/var/log/auth.log
Connection blocked by Tcp Wrappers.
Sep 15 19:45:02 ubuntu-test sshd[4514]: refused connect from Nessus-Host (Nessus-Host)
2010 Sep 15 19:45:03 Rule Id: 2503 level: 5
Location: ubuntu-test->/var/log/auth.log
Connection blocked by Tcp Wrappers.
Sep 15 19:45:02 ubuntu-test sshd[4513]: refused connect from Nessus-Host (Nessus-Host)
2010 Sep 15 19:44:41 Rule Id: 5710 level: 5
Location: ubuntu-test->/var/log/auth.log
Src IP: Nessus-Host
Attempt to login using a non-existent user
Sep 15 19:44:41 ubuntu-test sshd[4497]: Invalid user _wzgN52d from Nessus-Host
2010 Sep 15 19:44:41 Rule Id: 5718 level: 5
Location: ubuntu-test->/var/log/auth.log
Src IP: Nessus-Host
Attempt to login using a denied user.
Sep 15 19:44:41 ubuntu-test sshd[4494]: User root from Nessus-Host not allowed because not listed in AllowUsers
2010 Sep 15 19:44:41 Rule Id: 5706 level: 6
Location: ubuntu-test->/var/log/auth.log
Src IP: Nessus-Host
SSH insecure connection attempt (scan).
Sep 15 19:44:41 ubuntu-test sshd[4493]: Did not receive identification string from Nessus-Host
Côté Nessus:
Port general (0/icmp) [-/+]
Traceroute Information
Synopsis:
It was possible to obtain traceroute information.
Description:
Makes a traceroute to the remote host.
Risk factor:
None
Solution:
n/a
Plugin output:
For your information, here is the traceroute from 192.168.164.10 to 192.168.164.9 : 192.168.164.10 192.168.164.9
Plugin ID:
10287
ICMP Timestamp Request Remote Date Disclosure
Synopsis:
It is possible to determine the exact time set on the remote host.
Description:
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time based authentication protocols.
Risk factor:
None
Solution:
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).
Plugin output:
The remote clock is synchronized with the local clock.
Plugin ID:
10114
Port vnc (5900/tcp) [-/+]
VNC Server Security Type Detection
Synopsis:
A VNC server is running on the remote host.
Description:
This script checks the remote VNC server protocol version and the available 'security types'.
Risk factor:
None
Solution:
n/a
Plugin output:
The remote VNC server supports the following security types : + 18 (TLS) + 2 (VNC authentication)
Plugin ID:
19288
Port http? (80/tcp) [-/+]
HTTP methods per directory
Synopsis:
This plugin determines which HTTP methods are allowed on various CGI directories.
Description:
By calling the OPTIONS method, it is possible to determine which HTTP methods are allowed on each directory. As this list may be incomplete, the plugin also tests - if 'Thorough tests' are enabled or 'Enable web applications tests' is set to 'yes' in the scan policy - various known HTTP methods on each directory and considers them as unsupported if it receives a response code of 400, 403, 405, or 501. Note that the plugin output is only informational and does not necessarily indicate the presence of any security vulnerabilities.
Risk factor:
None
Solution:
n/a
Plugin output:
Based on the response to an OPTIONS request : - HTTP methods GET HEAD OPTIONS POST are allowed on :
J'aimerai bien aller plus loin, mais je ne sais pas comment .
PS: l'option realtime pour le syscheck, c'est bien quand on a un bon proc (merci le i7), mais il prend un coeur à lui tout seul.
Privilégier un scan classique, c'est pas la peine de devenir trop parano ^^.
@+
P4 2.8Ghz 32bits / 1Go de RAM / GeForce FX5700LE.
Ubuntu Dapper Drake et Gutsy gibbon
Documentation sur Ubuntu, pour les débutants voir moins débutant :P
Hors ligne
#88 Le 16/09/2010, à 19:46
- MaryPopy
Re : OSSEC > NEW Détection d'intrusion + Rootcheck [solution]
Merci pour ton retour d'xp.
Le temps réel tu l'as testé sur "/" pour qu'il te prenne 1 coeur ?
Photographe : http://www.vouillamozweb.ch
Hors ligne
#89 Le 16/09/2010, à 20:02
- hartman
Re : OSSEC > NEW Détection d'intrusion + Rootcheck [solution]
Nan j'suis pas fou non plus ^^
Juste sur quelques fichiers de mon home, pour voir.
P4 2.8Ghz 32bits / 1Go de RAM / GeForce FX5700LE.
Ubuntu Dapper Drake et Gutsy gibbon
Documentation sur Ubuntu, pour les débutants voir moins débutant :P
Hors ligne
#90 Le 16/09/2010, à 20:22
- MaryPopy
Re : OSSEC > NEW Détection d'intrusion + Rootcheck [solution]
J'avais essayé .filezilla et .firefox en temps réel sa me prenais 60% de 1 coeur au démarrage si non pas plus de 4 % de mon quad. Quand j'ouvre un nouvel onglet il monte à 24%. Mais des fois le 60% fufit pour me geler Firfox. Alors je l'ai désactivé.
Photographe : http://www.vouillamozweb.ch
Hors ligne
#91 Le 16/09/2010, à 20:53
- hartman
Re : OSSEC > NEW Détection d'intrusion + Rootcheck [solution]
Je ne suis pas persuadé qu'il est bon de monitorer un home, ou alors juste les permissions sur certains fichiers.
P4 2.8Ghz 32bits / 1Go de RAM / GeForce FX5700LE.
Ubuntu Dapper Drake et Gutsy gibbon
Documentation sur Ubuntu, pour les débutants voir moins débutant :P
Hors ligne
#92 Le 20/09/2010, à 00:18
- MaryPopy
Re : OSSEC > NEW Détection d'intrusion + Rootcheck [solution]
Mon résultat de scan à changé entre http://forum.ubuntu-fr.org/viewtopic.ph … 0#p3728790
[OK]: The following ports are open:
22 (tcp),68 (udp),111 (tcp),111 (udp),
631 (tcp),736 (udp),3000 (tcp),5353 (udp),
34515 (udp),38976 (udp),56167 (tcp)
La commande nmap affiche autre chose :
$ nmap ubuntu
Starting Nmap 5.00 ( http://nmap.org ) at 2010-09-20 00:07 CEST
Interesting ports on ubuntu (127.0.1.1):
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds
Et mon nouveau rootcheck n'affiche plus du tout la même chose qu'il y a 5 jours.
La il dit soit faut positif, soit qqch de vraiment mauvais ce passe !
[FAILED]: Port '2'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.
[FAILED]: Port '3'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.
[FAILED]: Port '4'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.
[FAILED]: Port '5'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.
[FAILED]: Port '7'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.
[FAILED]: Port '8'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.
[FAILED]: Port '9'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.
[FAILED]: Port '10'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.
[FAILED]: Port '11'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.
[FAILED]: Port '12'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.
[FAILED]: Port '13'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.
[FAILED]: Port '14'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.
[FAILED]: Port '15'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.
[FAILED]: Port '16'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.
[FAILED]: Port '17'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.
[FAILED]: Port '18'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.
[FAILED]: Port '19'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.
[FAILED]: Port '20'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.
[FAILED]: Port '21'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.
[FAILED]: Port '23'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.
[FAILED]: Port '24'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.
[FAILED]: Excessive number of 'tcp' ports hidden. It maybe a false-positive or something really bad is going on.
[FAILED]: Excessive number of 'udp' ports hidden. It maybe a false-positive or something really bad is going on.
[OK]: The following ports are open:
XX (tcp)
[OK]: No problem detected on ifconfig/ifs. Analyzed 2 interfaces.
Dernière modification par MaryPopy (Le 20/09/2010, à 00:28)
Photographe : http://www.vouillamozweb.ch
Hors ligne
#93 Le 20/09/2010, à 19:35
- hartman
Re : OSSEC > NEW Détection d'intrusion + Rootcheck [solution]
Et toi tu en conclus quoi?
C'est du faux-positif, c'est aussi le revert de la médaille pour les IDS.
Pour vérifier que tout est ok, fais un netstat (moi je prend couramment les option -taupn) comme ça tu verra les ports en écoutes.
Le nmap ne scannera que les ports en écoute sur 1 adresse IP (ou un subnet), mais pour ta machine locale, ça ne sert pas à grand chose.
Voici mes ports:
Proto Recv-Q Send-Q Adresse locale Adresse distante Etat PID/Program name
tcp 0 0 0.0.0.0:8333 0.0.0.0:* LISTEN 2749/vmware-hostd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 921/portmap
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2775/apache2
tcp 0 0 127.0.0.1:7634 0.0.0.0:* LISTEN 1690/hddtemp
tcp 0 0 127.0.0.1:8307 0.0.0.0:* LISTEN 2749/vmware-hostd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1540/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2051/exim4
tcp 0 0 0.0.0.0:8222 0.0.0.0:* LISTEN 2749/vmware-hostd
tcp 0 0 0.0.0.0:902 0.0.0.0:* LISTEN 2626/vmware-authdla
tcp6 0 0 :::8308 :::* LISTEN 2629/webAccess
tcp6 0 0 ::1:631 :::* LISTEN 1540/cupsd
tcp6 0 0 ::1:25 :::* LISTEN 2051/exim4
tcp6 0 0 127.0.0.1:8005 :::* LISTEN 2629/webAccess
tcp6 0 0 :::8009 :::* LISTEN 2629/webAccess
udp 0 0 0.0.0.0:34368 0.0.0.0:* 1377/avahi-daemon:
udp 0 0 0.0.0.0:5353 0.0.0.0:* 1377/avahi-daemon:
udp 0 0 0.0.0.0:111 0.0.0.0:* 921/portmap
Faut pas se faire peurpour rien
P4 2.8Ghz 32bits / 1Go de RAM / GeForce FX5700LE.
Ubuntu Dapper Drake et Gutsy gibbon
Documentation sur Ubuntu, pour les débutants voir moins débutant :P
Hors ligne
#94 Le 20/09/2010, à 19:38
- MaryPopy
Re : OSSEC > NEW Détection d'intrusion + Rootcheck [solution]
Faut pas se faire peurpour rien
Ouaip, vivement que je comprenne mieux tout ça. J'ouvre mes bouquins dès le 4 octobre.
Mais les ports et réseau sa fait pas encor partie de mon programme.
Connexions Internet actives (serveurs et établies)
Proto Recv-Q Send-Q Adresse locale Adresse distante Etat PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 877/portmap
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1714/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1884/cupsd
tcp 0 0 0.0.0.0:49129 0.0.0.0:* LISTEN 969/rpc.statd
tcp 0 0 192.168.1.33:43747 209.85.135.17:443 TIME_WAIT -
tcp 1 0 192.168.1.33:36030 91.189.89.31:80 CLOSE_WAIT 4573/gvfsd-http
tcp 0 0 192.168.1.33:37663 74.125.43.100:80 TIME_WAIT -
tcp 0 0 192.168.1.33:37659 74.125.43.100:80 TIME_WAIT -
tcp 0 0 192.168.1.33:58330 212.243.221.246:80 TIME_WAIT -
tcp 0 0 192.168.1.33:34128 209.85.135.152:80 TIME_WAIT -
tcp 0 0 192.168.1.33:37648 74.125.43.100:80 TIME_WAIT -
tcp 0 0 192.168.1.33:44228 74.125.39.83:443 ESTABLISHED 7906/firefox-bin
tcp 0 0 192.168.1.33:37662 74.125.43.100:80 TIME_WAIT -
tcp 0 0 192.168.1.33:55210 193.247.193.34:80 ESTABLISHED 7906/firefox-bin
tcp 0 0 192.168.1.33:36352 74.125.39.139:443 ESTABLISHED 7906/firefox-bin
tcp 0 0 192.168.1.33:60387 74.125.43.136:80 ESTABLISHED 7906/firefox-bin
tcp 0 0 192.168.1.33:52387 74.125.39.100:80 ESTABLISHED 7906/firefox-bin
tcp 0 0 192.168.1.33:37661 74.125.43.100:80 TIME_WAIT -
tcp 0 0 192.168.1.33:46019 74.125.39.156:80 TIME_WAIT -
tcp 0 0 192.168.1.33:49680 209.85.135.101:80 ESTABLISHED 7906/firefox-bin
tcp 0 0 192.168.1.33:55212 193.247.193.34:80 ESTABLISHED 7906/firefox-bin
tcp 0 0 192.168.1.33:60406 74.125.43.136:80 ESTABLISHED 7906/firefox-bin
tcp 1 0 192.168.1.33:36036 91.189.89.31:80 CLOSE_WAIT 4573/gvfsd-http
tcp 0 0 192.168.1.33:37660 74.125.43.100:80 TIME_WAIT -
tcp 0 0 192.168.1.33:46305 74.125.43.19:443 TIME_WAIT -
tcp6 0 0 :::22 :::* LISTEN 1714/sshd
tcp6 0 0 ::1:631 :::* LISTEN 1884/cupsd
udp 0 0 0.0.0.0:68 0.0.0.0:* 1187/dhclient3
udp 0 0 0.0.0.0:721 0.0.0.0:* 969/rpc.statd
udp 0 0 0.0.0.0:5353 0.0.0.0:* 1039/avahi-daemon:
udp 0 0 0.0.0.0:111 0.0.0.0:* 877/portmap
udp 0 0 0.0.0.0:39058 0.0.0.0:* 969/rpc.statd
udp 0 0 0.0.0.0:38937 0.0.0.0:* 1039/avahi-daemon:
Merci.
Dernière modification par MaryPopy (Le 21/09/2010, à 00:25)
Photographe : http://www.vouillamozweb.ch
Hors ligne
#95 Le 20/09/2010, à 19:57
- hartman
Re : OSSEC > NEW Détection d'intrusion + Rootcheck [solution]
Note: (Tous les processus ne peuvent être identifiés, les infos sur les processus
non possédés ne seront pas affichées, vous devez être root pour les voir toutes.)
Donc met sudo devant.
Ensuite, fait un man de netstat, pour comprendre ce qu'il te dit.
L'important, dans ta situation (connaître tes ports en écoute), c'est les port LISTEN (le reste, on s'en fou un peu ^^)/
P4 2.8Ghz 32bits / 1Go de RAM / GeForce FX5700LE.
Ubuntu Dapper Drake et Gutsy gibbon
Documentation sur Ubuntu, pour les débutants voir moins débutant :P
Hors ligne
#96 Le 21/09/2010, à 10:36
- castor77
Re : OSSEC > NEW Détection d'intrusion + Rootcheck [solution]
Tiens j'ai une alerte de niveau 12 (en général j'ai des tonnes de niveaux 2 ou 3).
Rule: 40101 fired (level 12) -> "System user successfully logged to the system."
Portion of the log(s):Sep 21 10:06:19 xyzertyu su[15609]: + ??? root:nobody
"I know this music", Le 5ème élément.
Hors ligne
#97 Le 21/09/2010, à 18:45
- hartman
Re : OSSEC > NEW Détection d'intrusion + Rootcheck [solution]
Et dans tes logs, tu as quelque chose?
Je ne me suis pas penché sur Ossec plus que ça, mais il faut pourtant comprendre comment il fonctionne pour bien interpréter les résultat .
J'ai retrouvé l'id de cette règle dans attack_rules.xml, mais je n'ai pas plus d'infos ^^.
P4 2.8Ghz 32bits / 1Go de RAM / GeForce FX5700LE.
Ubuntu Dapper Drake et Gutsy gibbon
Documentation sur Ubuntu, pour les débutants voir moins débutant :P
Hors ligne
#98 Le 23/09/2010, à 12:05
- castor77
Re : OSSEC > NEW Détection d'intrusion + Rootcheck [solution]
ok merci hartman.
"I know this music", Le 5ème élément.
Hors ligne
#99 Le 28/09/2010, à 23:12
- castor77
Re : OSSEC > NEW Détection d'intrusion + Rootcheck [solution]
Released de la V2.5 !
"I know this music", Le 5ème élément.
Hors ligne
#100 Le 28/09/2010, à 23:26
- MaryPopy
Re : OSSEC > NEW Détection d'intrusion + Rootcheck [solution]
Je vais tester ça... Merci.
Photographe : http://www.vouillamozweb.ch
Hors ligne