[CentOS] Intrusion Detection Systems
webmaster at ew3d.com
Thu Sep 27 07:13:00 UTC 2007
Stephen John Smoogen wrote:
> On 9/26/07, John Hinton <webmaster at ew3d.com> wrote:
>> Situation: We are providing hosting services.
>> I've grown tired of the various kiddie scripts/dictionary attacks on
>> various services. The latest has been against vsftpd, on systems that I
>> can't easily control vs. putting strict limits on ssh. We simply have
>> too many users entering from too many networks many with dynamic IP
>> Enter.... thinking about LIDS or Log Based Intrusion Detection.
>> I've run across four systems.
>> Blockhosts, DenyHosts, fail2ban and OSSEC.
>> DenyHosts apparently only works with ssh, so I've discounted using that.
> denyhosts will work with anything that uses tcp_wrappers. You can futz
> it to work with ssh, vsftpd, etc. However beyond that I can't be of
> much help at the moment. I would say go with multiple layers as much
> as possible.
WOW! I just did an install of OSSEC on a couple of servers and so far
I'm very impressed. First, the installation was as good as anything I've
ever done with the exception of an RPM. Extremely clear and worked
great. You do need gcc and glibc on the system.
As I was reading about doing the installation, I discovered there are
three different installs. These are local, server, and agent. If you are
doing a single stand-alone system you do local. If you have a bank of
servers with like configurations you do server on one and agent on the
others. The program contains a key generation allowing you to very
easily create a ssh connection between the server and agent(s). If one
had systems that were a bit different, like three of one type of setup
and 5 of another, you could do two server installs and do agent installs
on those like systems.
The install includes rules for just about everything.. vsftpd, sendmail,
postfix, ssh, spamd, mailscanner and on and on even into the winders
world as it runs on that platform as well. It tracks various logfile
errors, filesystem changes and looks for rootkits.
Those rules can all be edited for what to do, from notify you to taking
an active response. For instance you can set it to block failed login
attempts on ssh after a certain number of attempts and for the amount of
time you want to do the block. You can even wrap rules together so that
if this rule goes off during a time period and this other rule is then
set off, you can have it do something more strict.. like longer times of
blocking. The blocks can be done with hosts.deny or iptables or both.
There's also a web based gui which refreshes itself which shows you the
latest warnings. It will also send email alerts based on set security
As for the file/directory checks, you can set it to watch any particular
file or directory for changes and if the initial setup is throwing too
many errors, you can set it to ignore any particular file or directory
So, it will monitor activities and allow you to simply be informed via
email and/or web interface, or you can just hit its logs to see what's
going on. You can tune the rules to be proactive, stopping pretty much
any attack or attempt for any service. I'm actually thinking about tying
it into the spamhaus rules so that a block is done before smtp based on
multiple failures due to blacklisting. This will reduce server loads. It
could also do rejects based on non-existent email addresses,
spamassassin scores, or clamav responses. For instance one could set a
rule that if a virus came in 5 times from a particular IP address, you
could block that address for a day. I'm seeing this as much more than a
script-kiddie tool. More a tool to handle that and also reduce
The worst thing will be deciding what is safe and where to stop. :)
Anyway, I have to give this a big thumbs up so far. It has successful
blocked a few vsftpd attempts, one ssh attempt over the last few hours.
This kills the script on the other end even if they are just blocked for
ten minutes. It sure beats the heck out of waking up to logwatch reports
to find a 24 meg email with 79000 attempts to make a connection to vsftpd!
More information about the CentOS