Itx8071-task2
This homework assignment requires the knowledge from Modules 6 and 7.
Create SEC rules that accomplish the following event correlation task:
1) monitor sshd log events and detect SSH probing from remote hosts, where the same non-existing user account is probed over SSH from 3 distinct IP addresses within 60 seconds or less.
For example, if the following events appear in the log
Nov 7 12:53:11 myhost sshd[10477]: Failed password for invalid user admin2 from 10.3.6.22 port 50087 ssh2 Nov 7 12:53:12 myhost sshd[10477]: Failed password for invalid user admin2 from 10.3.6.22 port 50087 ssh2 Nov 7 12:53:39 myhost sshd[10479]: Failed password for invalid user oracle from 10.3.6.24 port 9899 ssh2 Nov 7 12:53:40 myhost sshd[10479]: Failed password for invalid user oracle from 10.3.6.24 port 9899 ssh2 Nov 7 12:54:01 myhost sshd[10527]: Failed password for invalid user admin2 from 10.1.2.52 port 40106 ssh2 Nov 7 12:54:02 myhost sshd[10527]: Failed password for invalid user admin2 from 10.1.2.52 port 40106 ssh2 Nov 7 12:54:07 myhost sshd[10543]: Failed password for invalid user admin2 from 10.17.8.9 port 32444 ssh2
your SEC rule should detect SSH probing for non-existing use admin2, since this user was probed between 12:53:11 and 12:54:07 from 3 distinct IP addresses 10.3.6.22, 10.1.2.52 and 10.17.8.9.
Also note that the detection should be done with a sliding window approach -- if the counting operation for some non-existing user has not seen enough events during 60 seconds, the 60 second detection window should be moved forward.
2) if the previous condition has been detected for 3 distinct non-existing users during 900 seconds (for example, admin2, oracle and testuser3 have been probed within 900 seconds), report this event to the local root-user via e-mail. After an e-mail has been sent, ensure than no repeated e-mails are generated during the following 3600 seconds.
Some hints for accomplishing this assignment: - don't try to solve the whole assignment with just one rule, but rather write
several rules which interact,
- if SSH probing for some non-existing user account is detected (as described
in the first subtask), you could generate a relevant synthetic event for this user, in order to provide input for further event correlation rules.
Apart from studying the examples from the course slides, have a look at the SEC man page (installed at the virtual machines or found at http://simple-evcorr.sourceforge.net/man.html).