[CentOS] Intrusion Detection Systems

Thu Sep 27 07:13:00 UTC 2007
John Hinton <webmaster at ew3d.com>

Stephen John Smoogen wrote:
> On 9/26/07, John Hinton <webmaster at ew3d.com> wrote:
>   
>> Situation: We are providing hosting services.
>>
>> I've grown tired of the various kiddie scripts/dictionary attacks on
>> various services. The latest has been against vsftpd, on systems that I
>> can't easily control vs. putting strict limits on ssh. We simply have
>> too many users entering from too many networks many with dynamic IP
>> addresses.
>>
>> Enter.... thinking about LIDS or Log Based Intrusion Detection.
>>
>> I've run across four systems.
>>
>> Blockhosts, DenyHosts, fail2ban and OSSEC.
>>
>> DenyHosts apparently only works with ssh, so I've discounted using that.
>>     
>
> denyhosts will work with anything that uses tcp_wrappers. You can futz
> it to work with ssh, vsftpd, etc. However beyond that I can't be of
> much help at the moment. I would say go with multiple layers as much
> as possible.
>   
WOW! I just did an install of OSSEC on a couple of servers and so far 
I'm very impressed. First, the installation was as good as anything I've 
ever done with the exception of an RPM. Extremely clear and worked 
great. You do need gcc and glibc on the system.

As I was reading about doing the installation, I discovered there are 
three different installs. These are local, server, and agent. If you are 
doing a single stand-alone system you do local. If you have a bank of 
servers with like configurations you do server on one and agent on the 
others. The program contains a key generation allowing you to very 
easily create a ssh connection between the server and agent(s). If one 
had systems that were a bit different, like three of one type of setup 
and 5 of another, you could do two server installs and do agent installs 
on those like systems.

The install includes rules for just about everything.. vsftpd, sendmail, 
postfix, ssh, spamd, mailscanner and on and on even into the winders 
world as it runs on that platform as well. It tracks various logfile 
errors, filesystem changes and looks for rootkits.

Those rules can all be edited for what to do, from notify you to taking 
an active response. For instance you can set it to block failed login 
attempts on ssh after a certain number of attempts and for the amount of 
time you want to do the block. You can even wrap rules together so that 
if this rule goes off during a time period and this other rule is then 
set off, you can have it do something more strict.. like longer times of 
blocking. The blocks can be done with hosts.deny or iptables or both.

There's also a web based gui which refreshes itself which shows you the 
latest warnings. It will also send email alerts based on set security 
levels.

As for the file/directory checks, you can set it to watch any particular 
file or directory for changes and if the initial setup is throwing too 
many errors, you can set it to ignore any particular file or directory 
change.

So, it will monitor activities and allow you to simply be informed via 
email and/or web interface, or you can just hit its logs to see what's 
going on. You can tune the rules to be proactive, stopping pretty much 
any attack or attempt for any service. I'm actually thinking about tying 
it into the spamhaus rules so that a block is done before smtp based on 
multiple failures due to blacklisting. This will reduce server loads. It 
could also do rejects based on non-existent email addresses, 
spamassassin scores, or clamav responses. For instance one could set a 
rule that if a virus came in 5 times from a particular IP address, you 
could block that address for a day. I'm seeing this as much more than a 
script-kiddie tool. More a tool to handle that and also reduce 
mailserver loads.

The worst thing will be deciding what is safe and where to stop. :)

Anyway, I have to give this a big thumbs up so far. It has successful 
blocked a few vsftpd attempts, one ssh attempt over the last few hours. 
This kills the script on the other end even if they are just blocked for 
ten minutes. It sure beats the heck out of waking up to logwatch reports 
to find a 24 meg email with 79000 attempts to make a connection to vsftpd!

Best,
John Hinton