Situation: We are providing hosting services.
I've grown tired of the various kiddie scripts/dictionary attacks on
various services. The latest has been against vsftpd, on systems that I
can't easily control vs. putting strict limits on ssh. We simply have
too many users entering from too many networks many with dynamic IP
addresses.
Enter.... thinking about LIDS or Log Based Intrusion Detection.
I've run across four systems.
Blockhosts, DenyHosts, fail2ban and OSSEC.
DenyHosts apparently only works with ssh, so I've discounted using that.
Is anyone using one of these or something else that I've missed. At
present, I'm leaning towards OSSEC for several reasons. First it seems
very robust. Second, you can set up a server/client structure, so only
one machine acts as the server and all the others present data to it so
that it can share with the entire system. The author seems to have
considered some of the basic problems of log based systems and addressed
those.
There does seem to be flexibility among these three systems in having
the ability to monitor just about any log system and take action based
on failed logins for instance.
So, whats the word from the list? Pros cons or other directions?
Thanks,
John Hinton
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos