Hello,
I have two questions.
My ssh port is 22. But I'm getting these emails from ossec which indicate ssh connection to funky ports
Code:
Jul 30 09:42:40 ns1 sshd[3937]: Invalid user adauto from 200.140.143.10
Jul 30 09:42:40 ns1 sshd[3936]: Invalid user frida from 200.140.143.10
Jul 30 09:42:11 ns1 sshd[3932]: Failed password for invalid user fuad from 200.140.143.10 port 56565 ssh2
Jul 30 09:42:08 ns1 sshd[3932]: Invalid user fuad from 200.140.143.10
Jul 30 09:41:59 ns1 sshd[3930]: Failed password for invalid user frida from 200.140.143.10 port 56494 ssh2
Jul 30 09:41:57 ns1 sshd[3930]: Invalid user frida from 200.140.143.10
Jul 30 09:41:54 ns1 sshd[3928]: Failed password for invalid user frida from 200.140.143.10 port 56406 ssh2
I have only a couple of handful ports open by APF and those listed are not. So my first question is how could this be?
My second question is, how can I add the IPs of these attackers to host.deny with ossec automatically?