Situation: We are providing hosting services. I've grown tired of the various kiddie scripts/dictionary attacks on various services. The latest has been against vsftpd, on systems that I can't easily control vs. putting strict limits on ssh. We simply have too many users entering from too many networks many with dynamic IP addresses. Enter.... thinking about LIDS or Log Based Intrusion Detection. I've run across four systems. Blockhosts, DenyHosts, fail2ban and OSSEC. DenyHosts apparently only works with ssh, so I've discounted using that. Is anyone using one of these or something else that I've missed. At present, I'm leaning towards OSSEC for several reasons. First it seems very robust. Second, you can set up a server/client structure, so only one machine acts as the server and all the others present data to it so that it can share with the entire system. The author seems to have considered some of the basic problems of log based systems and addressed those. There does seem to be flexibility among these three systems in having the ability to monitor just about any log system and take action based on failed logins for instance. So, whats the word from the list? Pros cons or other directions? Thanks, John Hinton
John Hinton wrote:> ... > There does seem to be flexibility among these three systems in having > the ability to monitor just about any log system and take action based > on failed logins for instance. > > So, whats the word from the list? Pros cons or other directions?I've always been rather fond of labrea (http://labrea.sourceforge.net/labrea-info.html) and portsentry (http://sourceforge.net/projects/sentrytools/), you might give them a gander. -- Said one park ranger, 'There is considerable overlap between the intelligence of the smartest bears and the dumbest tourists.' Mark D. Foster, CISSP <mark at foster.cc> http://mark.foster.cc/
On 9/26/07, John Hinton <webmaster at ew3d.com> wrote:> Situation: We are providing hosting services. > > I've grown tired of the various kiddie scripts/dictionary attacks on > various services. The latest has been against vsftpd, on systems that I > can't easily control vs. putting strict limits on ssh. We simply have > too many users entering from too many networks many with dynamic IP > addresses. > > Enter.... thinking about LIDS or Log Based Intrusion Detection. > > I've run across four systems. > > Blockhosts, DenyHosts, fail2ban and OSSEC. > > DenyHosts apparently only works with ssh, so I've discounted using that.denyhosts will work with anything that uses tcp_wrappers. You can futz it to work with ssh, vsftpd, etc. However beyond that I can't be of much help at the moment. I would say go with multiple layers as much as possible. -- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice"
On 27 September 2007, John Hinton <webmaster at ew3d.com> wrote:> Message: 50 > Date: Thu, 27 Sep 2007 03:13:00 -0400 > <snip> > WOW! I just did an install of OSSEC on a couple of servers and so far > I'm very impressed. First, the installation was as good as anythingJohn: Sounds like you are very pleased with OSSEC. Did you look at and discard SNORT? <http://www.snort.org/> -- Lanny Over 800 Magazine titles up to 80% off http://lowcostmagazines.com/
John Hinton <webmaster at ew3d.com> wrote:>>I did look at snort and actually some people run both snort and OSSEC. I don't remember the reasons. << Simply put, they're different things. Snort is a network IDS which examines network traffic packets, looking for the signatures of various attacks. OSSEC is host IDS which monitors logs for evidence of attacks or misuse on a host OS. In many installations, you need them both. Best, --- Les Bell, RHCE, CISSP [http://www.lesbell.com.au] Tel: +61 2 9451 1144 FreeWorldDialup: 800909