Stephen John Smoogen wrote:
On 9/26/07, John Hinton webmaster@ew3d.com wrote:
Situation: We are providing hosting services.
I've grown tired of the various kiddie scripts/dictionary attacks on various services. The latest has been against vsftpd, on systems that I can't easily control vs. putting strict limits on ssh. We simply have too many users entering from too many networks many with dynamic IP addresses.
Enter.... thinking about LIDS or Log Based Intrusion Detection.
I've run across four systems.
Blockhosts, DenyHosts, fail2ban and OSSEC.
DenyHosts apparently only works with ssh, so I've discounted using that.
denyhosts will work with anything that uses tcp_wrappers. You can futz it to work with ssh, vsftpd, etc. However beyond that I can't be of much help at the moment. I would say go with multiple layers as much as possible.
WOW! I just did an install of OSSEC on a couple of servers and so far I'm very impressed. First, the installation was as good as anything I've ever done with the exception of an RPM. Extremely clear and worked great. You do need gcc and glibc on the system.
As I was reading about doing the installation, I discovered there are three different installs. These are local, server, and agent. If you are doing a single stand-alone system you do local. If you have a bank of servers with like configurations you do server on one and agent on the others. The program contains a key generation allowing you to very easily create a ssh connection between the server and agent(s). If one had systems that were a bit different, like three of one type of setup and 5 of another, you could do two server installs and do agent installs on those like systems.
The install includes rules for just about everything.. vsftpd, sendmail, postfix, ssh, spamd, mailscanner and on and on even into the winders world as it runs on that platform as well. It tracks various logfile errors, filesystem changes and looks for rootkits.
Those rules can all be edited for what to do, from notify you to taking an active response. For instance you can set it to block failed login attempts on ssh after a certain number of attempts and for the amount of time you want to do the block. You can even wrap rules together so that if this rule goes off during a time period and this other rule is then set off, you can have it do something more strict.. like longer times of blocking. The blocks can be done with hosts.deny or iptables or both.
There's also a web based gui which refreshes itself which shows you the latest warnings. It will also send email alerts based on set security levels.
As for the file/directory checks, you can set it to watch any particular file or directory for changes and if the initial setup is throwing too many errors, you can set it to ignore any particular file or directory change.
So, it will monitor activities and allow you to simply be informed via email and/or web interface, or you can just hit its logs to see what's going on. You can tune the rules to be proactive, stopping pretty much any attack or attempt for any service. I'm actually thinking about tying it into the spamhaus rules so that a block is done before smtp based on multiple failures due to blacklisting. This will reduce server loads. It could also do rejects based on non-existent email addresses, spamassassin scores, or clamav responses. For instance one could set a rule that if a virus came in 5 times from a particular IP address, you could block that address for a day. I'm seeing this as much more than a script-kiddie tool. More a tool to handle that and also reduce mailserver loads.
The worst thing will be deciding what is safe and where to stop. :)
Anyway, I have to give this a big thumbs up so far. It has successful blocked a few vsftpd attempts, one ssh attempt over the last few hours. This kills the script on the other end even if they are just blocked for ten minutes. It sure beats the heck out of waking up to logwatch reports to find a 24 meg email with 79000 attempts to make a connection to vsftpd!
Best, John Hinton