OSSEC > NEW Détection d'intrusion + Rootcheck [solution]

MaryPopy · Le 15/09/2010, à 11:32

el_profesor a écrit :

Il y a quoi ligne 94 ? Ba si tu veux voir l'interface graphique ton serveur web doit tourner car si il ne tourne pas tu n'affichera rien. Ton rootcheck de OSSEC ? en ligne de commande tu as reussi (je suis preneur) ? Il te mets quoi ?

Pour l'afichage rootcheck il a mis ça :

** Starting Rootcheck v0.9 by Daniel B. Cid        **
** http://www.ossec.net/en/about.html#dev-team     **
** http://www.ossec.net/rootcheck/                 **

Be patient, it may take a few minutes to complete...

[INFO]: Starting rootcheck scan.

[OK]: No presence of public rootkits detected. Analyzed 268 files.

[FAILED]: Trojaned version of file '/bin/login' detected. Signature used: 'bash|elite|SucKIT|xlogin|vejeta|porcao|lets_log|sukasuk' (Generic).

[INFO]: System Audit: CIS - Testing against the CIS Debian Linux Benchmark v1.0. File: /etc/debian_version. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .

[INFO]: System Audit: CIS - Debian Linux 1.4 - Robust partition scheme - /tmp is not on its own partition. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .

[INFO]: System Audit: CIS - Debian Linux 1.4 - Robust partition scheme - /opt is not on its own partition. File: /opt. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .

[INFO]: System Audit: CIS - Debian Linux 1.4 - Robust partition scheme - /var is not on its own partition. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .

[INFO]: System Audit: CIS - Debian Linux 2.3 - SSH Configuration - Root login allowed. File: /etc/ssh/sshd_config. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .

[INFO]: System Audit: CIS - Debian Linux 2.4 - System Accounting - Sysstat not installed. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .

[INFO]: System Audit: CIS - Debian Linux 2.4 - System Accounting - Sysstat not enabled. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .

[INFO]: System Audit: CIS - Debian Linux 2.5 - System harderning - Bastille is not installed. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .

[INFO]: System Audit: CIS - Debian Linux 7.2 - Removable partition /media without 'nodev' set. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .

[INFO]: System Audit: CIS - Debian Linux 7.2 - Removable partition /media without 'nosuid' set. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .

[INFO]: System Audit: CIS - Debian Linux 7.3 - User-mounted removable partition /media. File: /etc/fstab. Reference: http://www.ossec.net/wiki/index.php/CIS_DebianLinux .

[OK]: No problem detected on the /dev directory. Analyzed 576 files

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/ossec_conf.php' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/js/calendar-en.js' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/js/calendar.js' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/js/calendar-setup.js' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/js/prototype.js' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/js/hide.js' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/tmp/.htaccess' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/LICENSE' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/setup.sh' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/README' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/img/donate.gif' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/img/calendar.gif' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/img/191x81.jpg' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/img/ossecLogo.png' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/img/background.png' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/img/ossec_webui.jpg' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/README.search' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/.htaccess' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/css/css.css' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/css/cal.css' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/css/images/arrow.gif' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/css/images/hr_tag_sep.gif' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/css/images/hr_title_sep.gif' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/css/images/favicon.ico' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/css/images/pagebg.gif' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/site/syscheck.php' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/site/search.php' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/site/main.php' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/site/.htaccess' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/site/footer.html' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/site/header.html' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/site/user_mapping.php' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/site/stats.php' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/site/searchfw.php' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/site/help.php' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/lib/os_lib_syscheck.php' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/lib/os_lib_stats.php' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/lib/os_lib_util.php' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/lib/os_lib_firewall.php' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/lib/os_lib_alerts.php' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/lib/.htaccess' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/lib/Ossec/Alert.php' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/lib/Ossec/AlertList.php' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/lib/Ossec/Histogram.php' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/lib/ossec_categories.php' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/lib/os_lib_agent.php' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/lib/ossec_formats.php' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/lib/os_lib_mapping.php' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/.htpasswd' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/index.php' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/CONTRIB' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/ossec-wui/htaccess_def.txt' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/remastersys-2.0.17/build_stamp' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/remastersys-2.0.17/README' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/remastersys-2.0.17/remastersys-gui' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/remastersys-2.0.17/debian/postrm' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/remastersys-2.0.17/debian/postinst' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/remastersys-2.0.17/debian/remastersys.1' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/remastersys-2.0.17/debian/prerm' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/remastersys-2.0.17/debian/dirs' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/remastersys-2.0.17/debian/changelog' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/remastersys-2.0.17/debian/compat' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/remastersys-2.0.17/debian/rules' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/remastersys-2.0.17/debian/preinst' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/remastersys-2.0.17/debian/copyright' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/remastersys-2.0.17/debian/docs' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/remastersys-2.0.17/debian/control' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/remastersys-2.0.17/etcdata/remastersys.conf' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/remastersys-2.0.17/etcdata/remastersys/remastersys.version' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/remastersys-2.0.17/etcdata/remastersys/preseed/custom.seed' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/remastersys-2.0.17/remastersys.1.gz' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/remastersys-2.0.17/desktopdata/remastersys-gui.desktop' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/remastersys-2.0.17/desktopdata/remastersys-gui-kde.desktop' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/root/.local/share/Trash/files/remastersys-2.0.17/desktopdata/remastersys.png' is: 
          - owned by root,
          - has written permissions to anyone.

[FAILED]: File '/var/log/ntop/access.log' is: 
          - owned by root,
          - has written permissions to anyone.

[ERR]: Check the following files for more information:
       rootcheck-rw-rw-rw-.txt (list of world writable files)
       rootcheck-rwxrwxrwx.txt (list of world writtable/executable files)
       rootcheck-suid-files.txt (list of suid files)

[OK]: No hidden process by Kernel-level rootkits.
      /bin/ps is not trojaned. Analyzed 32768 processes.

[OK]: No kernel-level rootkit hiding any port.
      Netstat is acting correctly. Analyzed 131072 ports.

[OK]: The following ports are open:
      22 (tcp),68 (udp),111 (tcp),111 (udp),
      631 (tcp),736 (udp),3000 (tcp),5353 (udp),
      34515 (udp),38976 (udp),56167 (tcp)

[OK]: No problem detected on ifconfig/ifs. Analyzed 2 interfaces.


- Scan completed in 18 seconds.

[INFO]: Ending rootcheck scan.

Pour le serveur, éteins je sais que sa n'affiche pas. Ma question est, doit-il tourner toujours ? Mais ma question étais stupide.

Pour la ligne 94, il y a surement un code que OSSEC n'arrive pas à atteindre. JE m'y remettrais ce soir ou le week prochain.

Dernière modification par MaryPopy (Le 15/09/2010, à 11:36)

el_profesor · Le 15/09/2010, à 11:35

Tu as taper quoi pour avoir ça ? Au depart il te dit qu'il n'a pas trouvé de rootkit mais apres il te met une erreur. Et plein après. C'est bizarre en effet. Mais sinon pour ton erreur de xampp il y a quoi ligne 94 ?

MaryPopy · Le 15/09/2010, à 11:37

Pour avoir ça tu dois suivre mon tuto : http://forum.ubuntu-fr.org/viewtopic.ph … 3#p3725713
Et la commande sera

ossec-rootcheck -c /var/rootcheck-2.4/rootcheck.conf

Ca prend 10 min à installer. Même pas.

Dernière modification par MaryPopy (Le 15/09/2010, à 11:44)

el_profesor · Le 15/09/2010, à 11:40

Ouai ba là je ne sais pas t'aider. Pour moi c'est bizarre mais bon je le fais par l'interface graphique et moi il ne me trouve rien de speciale.

MaryPopy · Le 15/09/2010, à 11:42

C'est ça que je trouve étrange. Chez moi les commandes de l'HIDS ne m'affichent rien. Alors que je devrais avoir les résultat comme avec l'interface graphique. Bon, je pencherais sur la question plus tard.

J'obtiens les alertes et tout, les Upgrades... Ce dont je parle en page 1... Mais pas les rapports comme indiqué dans le manuel.

Je vais réinstaller en mettant mon IP Local en plus du 127.0.0.1.

Merci a+

Dernière modification par MaryPopy (Le 15/09/2010, à 11:52)

el_profesor · Le 15/09/2010, à 11:57

Moi lorsque je fais /var/ossec/bin/rootcheck_control -i 004 (004 pour mon id d'un agent ossec) et bien ça fonctionne.

MaryPopy · Le 15/09/2010, à 14:09

Je n'ai que 000 comme ID Agent. Le localhost quoi !
Je ferais des test ce soir.

En attendant je suis toujours preneur si qqn à une solution à mon erreur :

Warning: opendir(/var/ossec) [function.opendir]: failed to open dir: Permission non accordée in /opt/lampp/htdocs/ossec-wui/lib/os_lib_handle.php on line 94
Unable to access ossec directory.

Je suis convaincu que c'est une histoire de droit vu que c'est dit. Apache ne parvien pas a voir ossec c'est ça ? Il n a pas accès. Mais je ne trouve pas la solution. Je lui est mis comme mon /var/ossec, un chown root:ossec. Mais c'est pas ça.

Dernière modification par MaryPopy (Le 15/09/2010, à 14:17)

el_profesor · Le 15/09/2010, à 15:46

Donc tu as intallé OSSEC en temps que local ?

Lors de ton erreur il te dit ".php on line 94" Il y a quoi à cette ligne ?

MaryPopy · Le 15/09/2010, à 15:51

J te poste la ligne ce soir. Si tu as mis aussi ossec-wui je suppose qu'on à la même ligne.

Qqn sur ce site à le même problème mais la solution n'a pas été trouvée.
http://groups.google.com/group/ossec-li … b90e04d146

Dernière modification par MaryPopy (Le 15/09/2010, à 16:02)

el_profesor · Le 15/09/2010, à 16:04

Ouai je ne vois rien de spécial à cet endroit. Tiens je te poste quand meme ce que j'ai moi.

if($dh = opendir($dir))
{
closedir($dh);
$ossec_handle{'dir'} = $dir;
$ossec_handle{'agent_dir'} = $dir."/queue/agent-info";

return($ossec_handle);
}
return(NULL);

MaryPopy · Le 15/09/2010, à 16:13

Le problème viens du faite que l'accès à /var/ossec est interdit par Apache.
J'ai posé la question ici : http://forum.ubuntu-fr.org/viewtopic.ph … 0#p3729350

Dernière modification par MaryPopy (Le 15/09/2010, à 16:55)

hartman · Le 16/09/2010, à 18:45

Salut,

Dans un premier temps, j'ai trouvé l'idée du rootchecker assez séduisante. Pouvoir le lancer n'importe quand, c'est appréciable.
Cependant, j'ai été obligé de modifier le fichier /var/rootcheck-2.4/rootcheck.conf et remplacer les chemins relatifs par des chemins absolu, sinon rootcheck ne trouvait pas les fichiers de la database.
Un seule soucis sur le rootcheck, quelques faux positif (le bin/login, et les 22 premiers port tcp en hidden // Mouais).

Pour ce qui est d'ossec, j'ai pu tester "un peu" avec Nessus, mais j'aurais souhaiter trouver un outils plus méchant.
J'ai donc configuré ma policie Nessus avec un peu tout ce qu'il y avait, et j'ai lancé le scan.

Nessus a commencé par un scan de port, puis un brut force ssh, et ensuite quelques connexions ftp.
Malheureusement, les autres tests n'ont servi à rien, Ossec a créé 2 règles iptables (INPUT et OUTPUT) pour droper tout ce qui venait ou allait sur la machine hôte Nessus .

Pour continuer les tests, j'ai whitelisté la machine Nessus, et j'ai relancé avec en prime un port ouvert et bindé sur un bash (avec netcat).
J'étais assez déçus, parce que ça n'a pas changé grand chose, Nessus a vu 5 "failles" plus ou moins inexploitable niveau réseau (je tient à préciser que la machine était une VM et que je n'ai rien fait de particulier dessus, le proftpd a été installé et est utilisé brut de décoffrage, pas de règles iptables, un sshd "d'origine", etc ...).

Voilà le rapport de Ossec (conf PAR DEFAULT sauf le syscheck !):

 2010 Sep 15 19:45:23  Rule Id: 5502  level: 3
Location: ubuntu-test->/var/log/auth.log
Login session closed.
Sep 15 19:45:22 ubuntu-test proftpd: pam_unix(proftpd:session): session closed for user ftp_user

2010 Sep 15 19:45:23 Rule Id: 5501 level: 3
Location: ubuntu-test->/var/log/auth.log
Login session opened.
Sep 15 19:45:22 ubuntu-test proftpd: pam_unix(proftpd:session): session opened for user ftp_user by (uid=0)

2010 Sep 15 19:45:23 Rule Id: 5502 level: 3
Location: ubuntu-test->/var/log/auth.log
Login session closed.
Sep 15 19:45:11 ubuntu-test proftpd: pam_unix(proftpd:session): session closed for user ftp_user

2010 Sep 15 19:45:07 Rule Id: 5502 level: 3
Location: ubuntu-test->/var/log/auth.log
Login session closed.
Sep 15 19:45:07 ubuntu-test proftpd: pam_unix(proftpd:session): session closed for user ftp_user

2010 Sep 15 19:45:07 Rule Id: 5501 level: 3
Location: ubuntu-test->/var/log/auth.log
Login session opened.
Sep 15 19:45:07 ubuntu-test proftpd: pam_unix(proftpd:session): session opened for user ftp_user by (uid=0)

2010 Sep 15 19:45:07 Rule Id: 5502 level: 3
Location: ubuntu-test->/var/log/auth.log
Login session closed.
Sep 15 19:45:06 ubuntu-test proftpd: pam_unix(proftpd:session): session closed for user ftp_user

2010 Sep 15 19:45:07 Rule Id: 5501 level: 3
Location: ubuntu-test->/var/log/auth.log
Login session opened.
Sep 15 19:45:06 ubuntu-test proftpd: pam_unix(proftpd:session): session opened for user ftp_user by (uid=0)

2010 Sep 15 19:45:03 Rule Id: 2503 level: 5
Location: ubuntu-test->/var/log/auth.log
Connection blocked by Tcp Wrappers.
Sep 15 19:45:02 ubuntu-test sshd[4514]: refused connect from Nessus-Host (Nessus-Host)

2010 Sep 15 19:45:03 Rule Id: 2503 level: 5
Location: ubuntu-test->/var/log/auth.log
Connection blocked by Tcp Wrappers.
Sep 15 19:45:02 ubuntu-test sshd[4513]: refused connect from Nessus-Host (Nessus-Host)

2010 Sep 15 19:44:41 Rule Id: 5710 level: 5
Location: ubuntu-test->/var/log/auth.log
Src IP: Nessus-Host
Attempt to login using a non-existent user
Sep 15 19:44:41 ubuntu-test sshd[4497]: Invalid user _wzgN52d from Nessus-Host

2010 Sep 15 19:44:41 Rule Id: 5718 level: 5
Location: ubuntu-test->/var/log/auth.log
Src IP: Nessus-Host
Attempt to login using a denied user.
Sep 15 19:44:41 ubuntu-test sshd[4494]: User root from Nessus-Host not allowed because not listed in AllowUsers

2010 Sep 15 19:44:41 Rule Id: 5706 level: 6
Location: ubuntu-test->/var/log/auth.log
Src IP: Nessus-Host
SSH insecure connection attempt (scan).
Sep 15 19:44:41 ubuntu-test sshd[4493]: Did not receive identification string from Nessus-Host

Côté Nessus:

Port general (0/icmp)    [-/+]
Traceroute Information
Synopsis:
It was possible to obtain traceroute information.
Description:
Makes a traceroute to the remote host.
Risk factor:
None
Solution:
n/a
Plugin output:
For your information, here is the traceroute from 192.168.164.10 to 192.168.164.9 : 192.168.164.10 192.168.164.9
Plugin ID:
10287



ICMP Timestamp Request Remote Date Disclosure
Synopsis:
It is possible to determine the exact time set on the remote host.
Description:
The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine. This may help him to defeat all your time based authentication protocols.
Risk factor:
None
Solution:
Filter out the ICMP timestamp requests (13), and the outgoing ICMP timestamp replies (14).
Plugin output:
The remote clock is synchronized with the local clock.
Plugin ID:
10114



Port vnc (5900/tcp)    [-/+]
VNC Server Security Type Detection
Synopsis:
A VNC server is running on the remote host.
Description:
This script checks the remote VNC server protocol version and the available 'security types'.
Risk factor:
None
Solution:
n/a
Plugin output:
The remote VNC server supports the following security types : + 18 (TLS) + 2 (VNC authentication)
Plugin ID:
19288



Port http? (80/tcp)    [-/+]
HTTP methods per directory
Synopsis:
This plugin determines which HTTP methods are allowed on various CGI directories.
Description:
By calling the OPTIONS method, it is possible to determine which HTTP methods are allowed on each directory. As this list may be incomplete, the plugin also tests - if 'Thorough tests' are enabled or 'Enable web applications tests' is set to 'yes' in the scan policy - various known HTTP methods on each directory and considers them as unsupported if it receives a response code of 400, 403, 405, or 501. Note that the plugin output is only informational and does not necessarily indicate the presence of any security vulnerabilities.
Risk factor:
None
Solution:
n/a
Plugin output:
Based on the response to an OPTIONS request : - HTTP methods GET HEAD OPTIONS POST are allowed on :

J'aimerai bien aller plus loin, mais je ne sais pas comment .

PS: l'option realtime pour le syscheck, c'est bien quand on a un bon proc (merci le i7), mais il prend un coeur à lui tout seul.
Privilégier un scan classique, c'est pas la peine de devenir trop parano ^^.

@+

MaryPopy · Le 16/09/2010, à 19:46

Merci pour ton retour d'xp.
Le temps réel tu l'as testé sur "/" pour qu'il te prenne 1 coeur ?

hartman · Le 16/09/2010, à 20:02

Nan j'suis pas fou non plus ^^
Juste sur quelques fichiers de mon home, pour voir.

MaryPopy · Le 16/09/2010, à 20:22

J'avais essayé .filezilla et .firefox en temps réel sa me prenais 60% de 1 coeur au démarrage si non pas plus de 4 % de mon quad. Quand j'ouvre un nouvel onglet il monte à 24%. Mais des fois le 60% fufit pour me geler Firfox. Alors je l'ai désactivé.

hartman · Le 16/09/2010, à 20:53

Je ne suis pas persuadé qu'il est bon de monitorer un home, ou alors juste les permissions sur certains fichiers.

MaryPopy · Le 20/09/2010, à 00:18

Mon résultat de scan à changé entre http://forum.ubuntu-fr.org/viewtopic.ph … 0#p3728790

[OK]: The following ports are open:
      22 (tcp),68 (udp),111 (tcp),111 (udp),
      631 (tcp),736 (udp),3000 (tcp),5353 (udp),
      34515 (udp),38976 (udp),56167 (tcp)

La commande nmap affiche autre chose :

$ nmap ubuntu

Starting Nmap 5.00 ( http://nmap.org ) at 2010-09-20 00:07 CEST
Interesting ports on ubuntu (127.0.1.1):
Not shown: 996 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
111/tcp open  rpcbind
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds

Et mon nouveau rootcheck n'affiche plus du tout la même chose qu'il y a 5 jours.

La il dit soit faut positif, soit qqch de vraiment mauvais ce passe !

[FAILED]: Port '2'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.

[FAILED]: Port '3'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.

[FAILED]: Port '4'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.

[FAILED]: Port '5'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.

[FAILED]: Port '7'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.

[FAILED]: Port '8'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.

[FAILED]: Port '9'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.

[FAILED]: Port '10'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.

[FAILED]: Port '11'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.

[FAILED]: Port '12'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.

[FAILED]: Port '13'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.

[FAILED]: Port '14'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.

[FAILED]: Port '15'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.

[FAILED]: Port '16'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.

[FAILED]: Port '17'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.

[FAILED]: Port '18'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.

[FAILED]: Port '19'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.

[FAILED]: Port '20'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.

[FAILED]: Port '21'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.

[FAILED]: Port '23'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.

[FAILED]: Port '24'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.

[FAILED]: Excessive number of 'tcp' ports hidden. It maybe a false-positive or something really bad is going on.

[FAILED]: Excessive number of 'udp' ports hidden. It maybe a false-positive or something really bad is going on.

[OK]: The following ports are open:
      XX (tcp)

[OK]: No problem detected on ifconfig/ifs. Analyzed 2 interfaces.

Dernière modification par MaryPopy (Le 20/09/2010, à 00:28)

hartman · Le 20/09/2010, à 19:35

Et toi tu en conclus quoi?

C'est du faux-positif, c'est aussi le revert de la médaille pour les IDS.
Pour vérifier que tout est ok, fais un netstat (moi je prend couramment les option -taupn) comme ça tu verra les ports en écoutes.
Le nmap ne scannera que les ports en écoute sur 1 adresse IP (ou un subnet), mais pour ta machine locale, ça ne sert pas à grand chose.

Voici mes ports:

Proto Recv-Q Send-Q Adresse locale          Adresse distante        Etat       PID/Program name
tcp        0      0 0.0.0.0:8333            0.0.0.0:*               LISTEN      2749/vmware-hostd
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      921/portmap     
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      2775/apache2    
tcp        0      0 127.0.0.1:7634          0.0.0.0:*               LISTEN      1690/hddtemp    
tcp        0      0 127.0.0.1:8307          0.0.0.0:*               LISTEN      2749/vmware-hostd
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      1540/cupsd      
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      2051/exim4      
tcp        0      0 0.0.0.0:8222            0.0.0.0:*               LISTEN      2749/vmware-hostd
tcp        0      0 0.0.0.0:902             0.0.0.0:*               LISTEN      2626/vmware-authdla
tcp6       0      0 :::8308                 :::*                    LISTEN      2629/webAccess  
tcp6       0      0 ::1:631                 :::*                    LISTEN      1540/cupsd      
tcp6       0      0 ::1:25                  :::*                    LISTEN      2051/exim4      
tcp6       0      0 127.0.0.1:8005          :::*                    LISTEN      2629/webAccess  
tcp6       0      0 :::8009                 :::*                    LISTEN      2629/webAccess  
udp        0      0 0.0.0.0:34368           0.0.0.0:*                           1377/avahi-daemon: 
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           1377/avahi-daemon: 
udp        0      0 0.0.0.0:111             0.0.0.0:*                           921/portmap

Faut pas se faire peurpour rien

MaryPopy · Le 20/09/2010, à 19:38

hartman a écrit :

Faut pas se faire peurpour rien

Ouaip, vivement que je comprenne mieux tout ça. J'ouvre mes bouquins dès le 4 octobre.
Mais les ports et réseau sa fait pas encor partie de mon programme.

Connexions Internet actives (serveurs et établies)
Proto Recv-Q Send-Q Adresse locale          Adresse distante        Etat       PID/Program name
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      877/portmap     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1714/sshd       
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      1884/cupsd      
tcp        0      0 0.0.0.0:49129           0.0.0.0:*               LISTEN      969/rpc.statd   
tcp        0      0 192.168.1.33:43747      209.85.135.17:443       TIME_WAIT   -               
tcp        1      0 192.168.1.33:36030      91.189.89.31:80         CLOSE_WAIT  4573/gvfsd-http 
tcp        0      0 192.168.1.33:37663      74.125.43.100:80        TIME_WAIT   -               
tcp        0      0 192.168.1.33:37659      74.125.43.100:80        TIME_WAIT   -               
tcp        0      0 192.168.1.33:58330      212.243.221.246:80      TIME_WAIT   -               
tcp        0      0 192.168.1.33:34128      209.85.135.152:80       TIME_WAIT   -               
tcp        0      0 192.168.1.33:37648      74.125.43.100:80        TIME_WAIT   -               
tcp        0      0 192.168.1.33:44228      74.125.39.83:443        ESTABLISHED 7906/firefox-bin
tcp        0      0 192.168.1.33:37662      74.125.43.100:80        TIME_WAIT   -               
tcp        0      0 192.168.1.33:55210      193.247.193.34:80       ESTABLISHED 7906/firefox-bin
tcp        0      0 192.168.1.33:36352      74.125.39.139:443       ESTABLISHED 7906/firefox-bin
tcp        0      0 192.168.1.33:60387      74.125.43.136:80        ESTABLISHED 7906/firefox-bin
tcp        0      0 192.168.1.33:52387      74.125.39.100:80        ESTABLISHED 7906/firefox-bin
tcp        0      0 192.168.1.33:37661      74.125.43.100:80        TIME_WAIT   -               
tcp        0      0 192.168.1.33:46019      74.125.39.156:80        TIME_WAIT   -               
tcp        0      0 192.168.1.33:49680      209.85.135.101:80       ESTABLISHED 7906/firefox-bin
tcp        0      0 192.168.1.33:55212      193.247.193.34:80       ESTABLISHED 7906/firefox-bin
tcp        0      0 192.168.1.33:60406      74.125.43.136:80        ESTABLISHED 7906/firefox-bin
tcp        1      0 192.168.1.33:36036      91.189.89.31:80         CLOSE_WAIT  4573/gvfsd-http 
tcp        0      0 192.168.1.33:37660      74.125.43.100:80        TIME_WAIT   -               
tcp        0      0 192.168.1.33:46305      74.125.43.19:443        TIME_WAIT   -               
tcp6       0      0 :::22                   :::*                    LISTEN      1714/sshd       
tcp6       0      0 ::1:631                 :::*                    LISTEN      1884/cupsd      
udp        0      0 0.0.0.0:68              0.0.0.0:*                           1187/dhclient3  
udp        0      0 0.0.0.0:721             0.0.0.0:*                           969/rpc.statd   
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           1039/avahi-daemon: 
udp        0      0 0.0.0.0:111             0.0.0.0:*                           877/portmap     
udp        0      0 0.0.0.0:39058           0.0.0.0:*                           969/rpc.statd   
udp        0      0 0.0.0.0:38937           0.0.0.0:*                           1039/avahi-daemon:

Merci.

Dernière modification par MaryPopy (Le 21/09/2010, à 00:25)

hartman · Le 20/09/2010, à 19:57

Note: (Tous les processus ne peuvent être identifiés, les infos sur les processus
non possédés ne seront pas affichées, vous devez être root pour les voir toutes.)

Donc met sudo devant.

Ensuite, fait un man de netstat, pour comprendre ce qu'il te dit.
L'important, dans ta situation (connaître tes ports en écoute), c'est les port LISTEN (le reste, on s'en fou un peu ^^)/

castor77 · Le 21/09/2010, à 10:36

Tiens j'ai une alerte de niveau 12 (en général j'ai des tonnes de niveaux 2 ou 3).

Rule: 40101 fired (level 12) -> "System user successfully logged to the system."
Portion of the log(s):
Sep 21 10:06:19 xyzertyu su[15609]: + ??? root:nobody

hartman · Le 21/09/2010, à 18:45

Et dans tes logs, tu as quelque chose?

Je ne me suis pas penché sur Ossec plus que ça, mais il faut pourtant comprendre comment il fonctionne pour bien interpréter les résultat .

J'ai retrouvé l'id de cette règle dans attack_rules.xml, mais je n'ai pas plus d'infos ^^.

castor77 · Le 23/09/2010, à 12:05

ok merci hartman.

castor77 · Le 28/09/2010, à 23:12

Released de la V2.5 !

MaryPopy · Le 28/09/2010, à 23:26

Je vais tester ça... Merci.

Ubuntu-fr

Navigation

Liens de recherche

Annonce

#76 Le 15/09/2010, à 11:32

Re : OSSEC > NEW Détection d'intrusion + Rootcheck [solution]

#77 Le 15/09/2010, à 11:35

Re : OSSEC > NEW Détection d'intrusion + Rootcheck [solution]

#78 Le 15/09/2010, à 11:37

Re : OSSEC > NEW Détection d'intrusion + Rootcheck [solution]

#79 Le 15/09/2010, à 11:40

Re : OSSEC > NEW Détection d'intrusion + Rootcheck [solution]

#80 Le 15/09/2010, à 11:42

Re : OSSEC > NEW Détection d'intrusion + Rootcheck [solution]

#81 Le 15/09/2010, à 11:57

Re : OSSEC > NEW Détection d'intrusion + Rootcheck [solution]

#82 Le 15/09/2010, à 14:09

Re : OSSEC > NEW Détection d'intrusion + Rootcheck [solution]

#83 Le 15/09/2010, à 15:46

Re : OSSEC > NEW Détection d'intrusion + Rootcheck [solution]

#84 Le 15/09/2010, à 15:51

Re : OSSEC > NEW Détection d'intrusion + Rootcheck [solution]

#85 Le 15/09/2010, à 16:04

Re : OSSEC > NEW Détection d'intrusion + Rootcheck [solution]

#86 Le 15/09/2010, à 16:13

Re : OSSEC > NEW Détection d'intrusion + Rootcheck [solution]

#87 Le 16/09/2010, à 18:45

Re : OSSEC > NEW Détection d'intrusion + Rootcheck [solution]

#88 Le 16/09/2010, à 19:46

Re : OSSEC > NEW Détection d'intrusion + Rootcheck [solution]

#89 Le 16/09/2010, à 20:02

Re : OSSEC > NEW Détection d'intrusion + Rootcheck [solution]

#90 Le 16/09/2010, à 20:22

Re : OSSEC > NEW Détection d'intrusion + Rootcheck [solution]

#91 Le 16/09/2010, à 20:53

Re : OSSEC > NEW Détection d'intrusion + Rootcheck [solution]

#92 Le 20/09/2010, à 00:18

Re : OSSEC > NEW Détection d'intrusion + Rootcheck [solution]

#93 Le 20/09/2010, à 19:35

Re : OSSEC > NEW Détection d'intrusion + Rootcheck [solution]

#94 Le 20/09/2010, à 19:38

Re : OSSEC > NEW Détection d'intrusion + Rootcheck [solution]

#95 Le 20/09/2010, à 19:57

Re : OSSEC > NEW Détection d'intrusion + Rootcheck [solution]

#96 Le 21/09/2010, à 10:36

Re : OSSEC > NEW Détection d'intrusion + Rootcheck [solution]

#97 Le 21/09/2010, à 18:45

Re : OSSEC > NEW Détection d'intrusion + Rootcheck [solution]

#98 Le 23/09/2010, à 12:05

Re : OSSEC > NEW Détection d'intrusion + Rootcheck [solution]

#99 Le 28/09/2010, à 23:12

Re : OSSEC > NEW Détection d'intrusion + Rootcheck [solution]

#100 Le 28/09/2010, à 23:26

Re : OSSEC > NEW Détection d'intrusion + Rootcheck [solution]

Pied de page des forums