Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSH rule set? #824

Closed
killmasta93 opened this issue Feb 20, 2021 · 2 comments
Closed

SSH rule set? #824

killmasta93 opened this issue Feb 20, 2021 · 2 comments

Comments

@killmasta93
Copy link

Hi
I was wondering if someone could shed some light on the issue im having, currently i have configured on the local rules

 <rule id="5715" level="12" overwrite="yes">
    <if_sid>5700</if_sid>
    <match>^Accepted|password.$</match>
    <description>sshd: authentication success.</description>
    <mitre>
      <id>T1078</id>
      <id>T1021</id>
    </mitre>
    <group>authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
  </rule>

I was wondering if i can ignore the following message because it seems that running pve-zync every hour im getting alert

Feb 20 12:05:20 prometheus12 sshd[13477]: Accepted publickey for root from 192.168.3.152 port 60512 ssh2: RSA SHA256:xzTsMv/EcwmdaWD2mOWbVpouFSUH+o52Gth1txsGQRw

or least to ignore this line exactly Accepted publickey for root from 192.168.3.152
as this IP is one of the servers which automatically ssh another server to send the snapshot

Thank you
@72nomada
Copy link

Hi @killmasta93,

Maybe this will help

<rule id="5715" level="12" overwrite="yes">
   <if_sid>5700</if_sid>
   <match>^Accepted|password.$</match>
   <description>sshd: authentication success.</description>
   <mitre>
     <id>T1078</id>
     <id>T1021</id>
   </mitre>
   <group>authentication_success,pci_dss_10.2.5,gpg13_7.1,gpg13_7.2,gdpr_IV_32.2,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
 </rule>

<rule id="100002" level="0">
   <if_sid>5715</if_sid>
   <match>192.168.3.152</match>
   <match>EcwmdaWD2mOWbVpouFSUH+o52Gth1txsGQRw</match>
   <description>sshd: ignored known access from PVE-ZYNC.</description>
 </rule>

Check there is no id 100002 in your local_ruleset and verify it does work in your logtest.
Ping here if it doesn't work

@killmasta93
Copy link
Author

Thank you so much that did the trick

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@killmasta93 @72nomada