Stephen John Smoogen wrote:
On 9/26/07, John Hinton <webmaster@xxxxxxxx> wrote:
Situation: We are providing hosting services.
I've grown tired of the various kiddie scripts/dictionary attacks on
various services. The latest has been against vsftpd, on systems that I
can't easily control vs. putting strict limits on ssh. We simply have
too many users entering from too many networks many with dynamic IP
addresses.
Enter.... thinking about LIDS or Log Based Intrusion Detection.
I've run across four systems.
Blockhosts, DenyHosts, fail2ban and OSSEC.
DenyHosts apparently only works with ssh, so I've discounted using that.
denyhosts will work with anything that uses tcp_wrappers. You can futz
it to work with ssh, vsftpd, etc. However beyond that I can't be of
much help at the moment. I would say go with multiple layers as much
as possible.
WOW! I just did an install of OSSEC on a couple of servers and so far
I'm very impressed. First, the installation was as good as anything I've
ever done with the exception of an RPM. Extremely clear and worked
great. You do need gcc and glibc on the system.
As I was reading about doing the installation, I discovered there are
three different installs. These are local, server, and agent. If you are
doing a single stand-alone system you do local. If you have a bank of
servers with like configurations you do server on one and agent on the
others. The program contains a key generation allowing you to very
easily create a ssh connection between the server and agent(s). If one
had systems that were a bit different, like three of one type of setup
and 5 of another, you could do two server installs and do agent installs
on those like systems.
The install includes rules for just about everything.. vsftpd, sendmail,
postfix, ssh, spamd, mailscanner and on and on even into the winders
world as it runs on that platform as well. It tracks various logfile
errors, filesystem changes and looks for rootkits.
Those rules can all be edited for what to do, from notify you to taking
an active response. For instance you can set it to block failed login
attempts on ssh after a certain number of attempts and for the amount of
time you want to do the block. You can even wrap rules together so that
if this rule goes off during a time period and this other rule is then
set off, you can have it do something more strict.. like longer times of
blocking. The blocks can be done with hosts.deny or iptables or both.
There's also a web based gui which refreshes itself which shows you the
latest warnings. It will also send email alerts based on set security
levels.
As for the file/directory checks, you can set it to watch any particular
file or directory for changes and if the initial setup is throwing too
many errors, you can set it to ignore any particular file or directory
change.
So, it will monitor activities and allow you to simply be informed via
email and/or web interface, or you can just hit its logs to see what's
going on. You can tune the rules to be proactive, stopping pretty much
any attack or attempt for any service. I'm actually thinking about tying
it into the spamhaus rules so that a block is done before smtp based on
multiple failures due to blacklisting. This will reduce server loads. It
could also do rejects based on non-existent email addresses,
spamassassin scores, or clamav responses. For instance one could set a
rule that if a virus came in 5 times from a particular IP address, you
could block that address for a day. I'm seeing this as much more than a
script-kiddie tool. More a tool to handle that and also reduce
mailserver loads.
The worst thing will be deciding what is safe and where to stop. :)
Anyway, I have to give this a big thumbs up so far. It has successful
blocked a few vsftpd attempts, one ssh attempt over the last few hours.
This kills the script on the other end even if they are just blocked for
ten minutes. It sure beats the heck out of waking up to logwatch reports
to find a 24 meg email with 79000 attempts to make a connection to vsftpd!
Best,
John Hinton
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
