[CentOS] Intrusion Detection Systems

Wed Sep 26 16:35:31 UTC 2007
John Hinton <webmaster at ew3d.com>

Situation: We are providing hosting services.

I've grown tired of the various kiddie scripts/dictionary attacks on 
various services. The latest has been against vsftpd, on systems that I 
can't easily control vs. putting strict limits on ssh. We simply have 
too many users entering from too many networks many with dynamic IP 

Enter.... thinking about LIDS or Log Based Intrusion Detection.

I've run across four systems.

Blockhosts, DenyHosts, fail2ban and OSSEC.

DenyHosts apparently only works with ssh, so I've discounted using that.

Is anyone using one of these or something else that I've missed. At 
present, I'm leaning towards OSSEC for several reasons. First it seems 
very robust. Second, you can set up a server/client structure, so only 
one machine acts as the server and all the others present data to it so 
that it can share with the entire system. The author seems to have 
considered some of the basic problems of log based systems and addressed 

There does seem to be flexibility among these three systems in having 
the ability to monitor just about any log system and take action based 
on failed logins for instance.

So, whats the word from the list? Pros cons or other directions?

John Hinton