similar to: Constant regeneration of /etc/ssh/ssh_known_hosts

This is one where there's probably no limit to what you could do. We have a high-security environment and are using Aide and OSSEC. Aide has been good at reporting file system changes and is very granular, the dilemma is what to monitor and what to ignore (keep from being inundated with reports of innocuous changes at the risk of missing something). However, it is not daemon-based so

Another alternative is to use a FIMS/HIDS such as Aide (Advanced Intrusion Detection Environment), OSSEC or Samhain. Be prepared to learn a lot about what your OS normally does behind the scenes (and thus a fair amount of initial fine tuning to exclude those things). Aide seems to work well (I've seen only one odd result) and is quite granular. However, it is local system based rather than

Puppet custom functions and user permissions I am busy writing a custom function to automatically add OSSEC agents to a OSSEC server after installation. Unfortunately, it seems that puppetmasterd is not respecting the entries in /etc/group in linux. No matter how many other groups the puppet user has been added to in /etc/ group, when puppetmasterd runs the custom function the effective/real user

Hi, I''m a fairly new to Puppet but so far have been very pleased with the recipes and my own simple scripts. However, I''ve hit a wall in the form of OSSEC, (http://www.ossec.net/main/) Most of my servers are running ubuntu or debain and neither support OSSEC via apt-get. I''ve thought about setting up my own local repository to handle this and to also package my own

You need to disable ?ChallengeResponse? (aka keyboard-interactive) authentication, not password authentication, to protect against this attack. On Jul 22, 2015, at 1:56 PM, Bostjan Skufca <bostjan at a2o.si> wrote: > > And to answer your question about what to do, you have three options: > - disable access to ssh with a firewall > - disable password authentication > -

Hi Friends! I need to prepare a script which will grep logs from the current time to previous 5 mins that is if the current time is Mon Jun 13 12:40:40 IST 2011 then all the logs between the interval Mon Jun 12:35 - 12:40 2011 should be grepped by the script and append it to another file. However, the below script is not able to grep the desired logs, so I need some help in preparing the script.

Hi. I have an interesting use case. OSSEC is security tool based on server-client architecture. Server generates keys for agents, and every agent has different key. Now I want to distribute these keys via puppet. I''ve come accross hiera and installed it, and it works superbly, but how to store per-node key in hiera? This is my idea: hiera,yaml: --- :hierarchy: -

Situation: We are providing hosting services. I've grown tired of the various kiddie scripts/dictionary attacks on various services. The latest has been against vsftpd, on systems that I can't easily control vs. putting strict limits on ssh. We simply have too many users entering from too many networks many with dynamic IP addresses. Enter.... thinking about LIDS or Log Based

Starting with a fresh load and after I finish hardening the load following the Center for Internet Security (CIS) guidance, I'm wondering whether AIDE or OSSEC would be a better intrusion detection system. I installed AIDE and did a quick test of AIDE and after initializing the db and applying the recent cups update, I found that 1700+ files had changed. Those are a lot of changes to wade

Hello all. I have been running running centos 4.5 final for some time with any problems. Been running great, until today. System was frozen and /var/log/messages showed: Aug 15 23:01:28 mydomain kernel: Unable to handle kernel NULL pointer dereference at virtual address 00000000 Aug 15 23:01:28 mydomain kernel: printing eip: Aug 15 23:01:28 mydomain kernel: c01b2de4 Aug 15 23:01:28 mydomain

I have just deployed a new CentOS 6.4 image on AWS, and I'm having issues with init.d scripts not starting up. I've verified the following; 1) They work on their own after boot 2) They're set to run at runlevel 3,4, and 5 via chkconfig 3) The system boots up in runlevel 3 (no GUI) 4) There are no lingering PID files around after boot 5) Permissions

In the past little while, we've seen a wave of attacks on asterisk, via the provisioning. It goes something like this: A. scan for IP phones on the internet, either via spotting something on port 5060, or via the port 80 web interface for the phone. Or, use web sites that scan the internet, and classify the machines, to make your work shorter. B. Once you get into the web GUI,

I'm seeing a lot of activity over the last two days with what looks to be a kiddie script. Mostly trying to access several of our servers with the username anna. All failed... in fact I don't think we have a user anna on any of our servers. Meanwhile... I'm running Sendmail. This pertains to Centos 4 and 5 servers. I'm also running fail2ban on some and Ossec on others. So far,

Hi, I'm getting some errors while I'm trying to move mailboxes from IMAP server to Outlook client. The error message is "IMAP command is failed" and I think it is useless. Here are the error messages written to server's syslog. imap(name at domain.com<mailto:name at domain.com>): Error: unlink_directory(/data/domain.com/name/INBOX/direct/.nfs00000000000033fd000000cd)

Hi all, How can I retrieve a file''s most recent checksum as reported by puppet? I''m running Puppet 3.1, PuppetDB 1.4, and Foreman 1.2, and have looked through the various APIs as well as /var/lib/puppet/ on each node, but can''t find a specific field for the checksum. I think it used to be in /var/lib/puppet/state/state.yaml, but was removed in recent puppet

Hallo, in CentOS 5 fwlogwatch is available. CentOS 6: I have found nothing. Snort: installation from source? Other idea? Alternative software? OSSEC? Thank you for help in advance Best regards Helmut -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20110905/1c409912/attachment.html>

http://bugzilla.mindrot.org/show_bug.cgi?id=666 Summary: 'BatchMode yes' makes ssh(1) look for /usr/local/etc/ssh_known_hosts Product: Portable OpenSSH Version: 3.7.1p1 Platform: Alpha OS/Version: OSF/1 Status: NEW Severity: critical Priority: P2 Component: sshd

Hello guys, Whats is the best way to identify a possible user using a botnet with php in the server? And if he is using GET commands for example in other server. Does apache logs outbound conections ? If it is using a file that is not malicious the clam av would not identify. Thanks

How do you know when a Linux system has been compromised?? Every day I watch our systems with all the typical tools, ps, top, who, I watch firewall / IPS logs, I have logwatch setup and mailing daily summaries to me and I dive deeper into logs if something looks suspicious. What am I missing or not looking at that you security gurus are looking at? I subscribe to the centos and SANS

Hi , I was testing puppet exported resources as in http://docs.puppetlabs.com/guides/exported_resources.html and I had this test class (code is from another post). class ssh_known_hosts{ case $sshrsakey { '''': { alert("No sshrsakey found for $fqdn") } default: { @@sshkey { $fqdn: