[ssh bad client public DH value]
log 1 pass = Feb 4 23:05:57 someserver sshd[1234]: Disconnecting: bad client public DH value [preauth]
+log 1 pass = Feb 4 23:05:57 someserver sshd[1234]: Disconnecting: bad client public DH value
rule = 5747
alert = 6
[ssh corrupted MAC on input]
log 1 pass = Feb 14 14:34:15 someserver sshd[1234]: Corrupted MAC on input. [preauth]
+log 2 pass = Nov 22 19:24:55 server sshd[4046]: Corrupted MAC on input.
rule = 5748
alert = 6
[ssh bad packet length]
log 1 pass = Mar 4 13:34:59 someserver sshd[5396]: Bad packet length 4081586742. [preauth]
+log 2 pass = Mar 4 13:34:59 someserver sshd[5396]: Bad packet length 4081586742.
rule = 5749
alert = 4
decoder = sshd
+
+[ssh unable to negotiate]
+log 1 pass = Mar 3 10:56:18 junction sshd[32065]: fatal: Unable to negotiate with 202.191.177.33 port 3579: no matching cipher found. Their offer: 3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc [preauth]
+
+rule = 5753
+alert = 2
+decoder = sshd
+
+[ssh no matching key exchange]
+log 1 pass = Sep 16 05:46:56 junction sshd[1961]: fatal: Unable to negotiate with 108.229.36.174: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1 [preauth]
+log 2 pass = Apr 18 21:27:08 web2 sshd[23484]: fatal: Unable to negotiate a key exchange method [preauth]
+
+rule = 5752
+alert = 2
+decoder = sshd
+
+[invalid user]
+log 1 pass = 2013-10-30T14:51:21.901728+01:00 srv sshd[12664]: Postponed keyboard-interactive for invalid user warez from 192.241.237.101 port 54197 ssh2 [preauth]
+log 2 pass = 2013-10-30T14:51:24.140565+01:00 srv sshd[12664]: Failed keyboard-interactive/pam for invalid user warez from 192.241.237.101 port 54197 ssh2
+log 3 fail = 2013-10-30T14:51:24.139258+01:00 srv sshd[12664]: error: PAM: User not known to the underlying authentication module for illegal user warez from 192.241.237.101
+log 4 pass = 2013-10-30T14:51:30.267401+01:00 srv sshd[12671]: Invalid user opcione from 192.241.237.101
+log 5 fail = 2013-10-30T14:51:30.267906+01:00 srv sshd[12671]: input_userauth_request: invalid user opcione [preauth]
+
+rule = 5710
+alert = 5
+decoder = sshd
+
+[failed to create session]
+log 1 pass = May 4 17:48:43 collectd sshd[15044]: pam_systemd(sshd:session): Failed to create session: Access denied
+
+rule = 5754
+alert = 1
+decoder = sshd
+
+[bad authorized_keys]
+log 1 pass = May 4 18:30:04 collectd sshd[15191]: Authentication refused: bad ownership or modes for file /home/ansible/.ssh/authorized_keys
+
+rule = 5755
+alert = 2
+decoder = sshd
+
+[subsystem failed]
+log 1 pass = May 5 05:00:38 junction sshd[28395]: subsystem request for netconf by user checker failed, subsystem not found
+
+rule = 5756
+alert = 0
+decoder = sshd
+
+[login failed]
+log 1 pass = Aug 18 07:30:25 192.168.1.5 sshd[20247]: [ID 800047 auth.notice] Failed none for root from 192.168.1.1 port 36942 ssh2
+
+rule = 5716
+alert = 5
+decoder = sshd
+
+[bad dns]
+log 1 pass = Oct 20 12:33:07 ar-agent sshd[3433]: Address 192.168.18.54 maps to nmap.18.168.192.in-addr.arpa, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
+
+rule = 5757
+alert = 0
+decoder = sshd
+
+[max auth attempts]
+log 1 pass = Dec 27 03:23:51 r1 sshd[21183]: error: maximum authentication attempts exceeded for root from 183.106.179.x port 34100 ssh2 [preauth]
+log 2 fail = Aug 31 10:19:36 hostname sshd[12079]: error: maximum authentication attempts exceeded for invalid user service from 202.188.45.36 port 37313 ssh2 [preauth]
+
+rule = 5758
+alert = 8
+decoder = sshd
+
+[bad protocol]
+log 1 pass = Jun 28 19:35:39 xxx sshd[30255]: Bad protocol version identification '' from 188.18.81.21 port 60787
+
+rule = 5701
+alert = 8
+decoder = sshd
+
+[blocked by tcpwrapper]
+log 1 pass = Aug 30 18:12:54 hostname sshd[25350]: refused connect from 103.79.143.159 (103.79.143.159)
+
+rule = 2503
+alert = 5
+decoder = sshd
+
projects / ossec-hids.git / blobdiff