Situation: We are providing hosting services.
I've grown tired of the various kiddie scripts/dictionary attacks on various services. The latest has been against vsftpd, on systems that I can't easily control vs. putting strict limits on ssh. We simply have too many users entering from too many networks many with dynamic IP addresses.
Enter.... thinking about LIDS or Log Based Intrusion Detection.
I've run across four systems.
Blockhosts, DenyHosts, fail2ban and OSSEC.
DenyHosts apparently only works with ssh, so I've discounted using that.
Is anyone using one of these or something else that I've missed. At present, I'm leaning towards OSSEC for several reasons. First it seems very robust. Second, you can set up a server/client structure, so only one machine acts as the server and all the others present data to it so that it can share with the entire system. The author seems to have considered some of the basic problems of log based systems and addressed those.
There does seem to be flexibility among these three systems in having the ability to monitor just about any log system and take action based on failed logins for instance.
So, whats the word from the list? Pros cons or other directions?
Thanks, John Hinton