similar to: Intrusion Detection Systems

I'm seeing a lot of activity over the last two days with what looks to be a kiddie script. Mostly trying to access several of our servers with the username anna. All failed... in fact I don't think we have a user anna on any of our servers. Meanwhile... I'm running Sendmail. This pertains to Centos 4 and 5 servers. I'm also running fail2ban on some and Ossec on others. So far,

Hello: I have been looking into projects that will automatically restrict hacking attempts on my servers running CentOS 5. I think the two top contenders are: DenyHosts - http://denyhosts.sourceforge.net Fail2ban - http://www.fail2ban.org >From what I see, DenyHosts only blocks based on failed SSH attempts whereas Fail2ban blocks failed attempts for other access as well. The main benefit

I'm looking for a way to deny access to dovecot from certain IP addresses, basically to help prevent brute force attacks on the server. Right now I'm using denyhosts which scans /var/log/secure for authentication failures which then can add an entry to /etc/hosts.deny, but since dovecot doesn't have tcp wrappers support, that doesn't do anything. It doesn't look like I can

I'm trying (and failing) to use BlockHosts to stop thousands of FTP login attempts. BlockHosts works fine with ssh but not with vsftp. I've found the problem but not the solution at http://www.aczoom.com/cms/forums/blockhosts/vsftp-hanging Can anyone could help with either getting BlockHosts to work or suggesting another method?

Hi all, I appologise in advance if this is a little OT, but I am building a box that will serve as firewall and router for a small ''internet cafe / netcafe'' and am using CentOS... So here it is: What are the best tools to be used for keeping the potential script kiddies from ''harming the Internet'' :) ? I specifically want to be able to detect and prevent

Can anyone recommend an opensource package (preferably something centos 4X compatible) that can be used on a (iptables) firewall to block virus/trojan, etc? And maybe something for intrusion detection? Thanks! Dnk

I have a client project to implement PCI/DSS compliance. The PCI/DSS auditor has stipulated that the web server, application middleware (tomcat), the db server have to be on different systems. In addition the auditor has also stipulated that there be a NTP server, a "patch" server, The Host OS on all of the above nodes will be CentOS 6.2. Below is a list of things that would be

OK, so I did an upgrade to PHP 5.3 on one of my servers. I noticed the uninstall of php also removed SquirrelMail and it won't install under PHP 5.3. Has anybody worked this out with a good RPM or repo solution? -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online Solutions

Puppet custom functions and user permissions I am busy writing a custom function to automatically add OSSEC agents to a OSSEC server after installation. Unfortunately, it seems that puppetmasterd is not respecting the entries in /etc/group in linux. No matter how many other groups the puppet user has been added to in /etc/ group, when puppetmasterd runs the custom function the effective/real user

Hello all, I have been exploring the various intrusion detection systems available for the Linux platform and was wondering what ones you all would recommend? I have used AIDE before and while it is extremely easy to setup, it does not support the ability to send alerts as files are changed (allows one to be aware of an intrusion almost immediately). Thank you, Dan Burkland ?

Another alternative is to use a FIMS/HIDS such as Aide (Advanced Intrusion Detection Environment), OSSEC or Samhain. Be prepared to learn a lot about what your OS normally does behind the scenes (and thus a fair amount of initial fine tuning to exclude those things). Aide seems to work well (I've seen only one odd result) and is quite granular. However, it is local system based rather than

Starting with a fresh load and after I finish hardening the load following the Center for Internet Security (CIS) guidance, I'm wondering whether AIDE or OSSEC would be a better intrusion detection system. I installed AIDE and did a quick test of AIDE and after initializing the db and applying the recent cups update, I found that 1700+ files had changed. Those are a lot of changes to wade

I've been seeing some random Proliant DL380 G4 64bit crashes. Each time, on the console are messages relating tojbd2/cciss and something about a waitfor 120 seconds. Is anybody else seeing anything like this? Oddly, I can't seem to find this in the logs. I guess it can't write when this happens. -- John Hinton 877-777-1407 ext 502 http://www.ew3d.com Comprehensive Online

Hello, I've installed denyhosts on centos 5.3 trying to block automated attacks on ssh. It appears to be working in that entries are being added to /etc/hosts.deny yet the daily emails sent from denyhosts show only one ip being added perday when the total is many more than that. My config is below, i've gone over it and am not seeing what i missed. Suggestions welcome. I was also

OK, so does anybody have a good firewall rule solution for what we're supposed to be doing with bind these days? Obviously port 53 is no longer enough. TIA John Hinton

Hi Friends! I need to prepare a script which will grep logs from the current time to previous 5 mins that is if the current time is Mon Jun 13 12:40:40 IST 2011 then all the logs between the interval Mon Jun 12:35 - 12:40 2011 should be grepped by the script and append it to another file. However, the below script is not able to grep the desired logs, so I need some help in preparing the script.

So I setup ssh on a server so I could do some work from home and I think the second I opened it every sorry monkey from around the world has been trying every account name imaginable to get into the system. What's a good way to deal with this?

I'm running bind in a chroot environment. It seems that since the Redhat snafu which wrecked bind (yes, I had caching nameserver running as well but not anymore) I have been having problem with my slave nameservers retrieving updates from the master. Looking at the zone records, some are owned by root, some are owned by named. I'm now confused as to what the ownership should be and

Hi. I have an interesting use case. OSSEC is security tool based on server-client architecture. Server generates keys for agents, and every agent has different key. Now I want to distribute these keys via puppet. I''ve come accross hiera and installed it, and it works superbly, but how to store per-node key in hiera? This is my idea: hiera,yaml: --- :hierarchy: -

Hello, It looks like upstream linux-2.6.git contains at least the following xen related new features for Linux 2.6.36: - Xen-SWIOTLB support (required for Xen PCI passthru and dom0) - Xen PV-on-HVM drivers - Xen VBD online dynamic resize of guest disks (xvd*) Congratulations! What are the plans for 2.6.37 merge window? I believe at least: - Xen PCI frontend Others? I''m going to