Intrusion Detection Systems

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Situation: We are providing hosting services.

I've grown tired of the various kiddie scripts/dictionary attacks on various services. The latest has been against vsftpd, on systems that I can't easily control vs. putting strict limits on ssh. We simply have too many users entering from too many networks many with dynamic IP addresses.

Enter.... thinking about LIDS or Log Based Intrusion Detection.

I've run across four systems.

Blockhosts, DenyHosts, fail2ban and OSSEC.

DenyHosts apparently only works with ssh, so I've discounted using that.

Is anyone using one of these or something else that I've missed. At present, I'm leaning towards OSSEC for several reasons. First it seems very robust. Second, you can set up a server/client structure, so only one machine acts as the server and all the others present data to it so that it can share with the entire system. The author seems to have considered some of the basic problems of log based systems and addressed those.

There does seem to be flexibility among these three systems in having the ability to monitor just about any log system and take action based on failed logins for instance.

So, whats the word from the list? Pros cons or other directions?

Thanks,
John Hinton


_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux