[aklug] OSSEC Host-based Intrusion Detection

I'm in love with OSSEC. I was using the following.
   - Tripwire
   - logcheck
   - Portsentry

Now I just use OSSEC. One HIDS to rule them all. It does everything the
others do and more. Check out this email it sent me.

OSSEC HIDS Notification.
2010 Oct 28 23:41:02

Received From: section9->/var/log/auth.log
Rule: 5712 fired (level 10) -> "SSHD brute force trying to get access to the
system."
Portion of the log(s):

Oct 28 23:41:02 section9 sshd[26791]: Invalid user wilfrie from
114.32.122.58
Oct 28 23:41:00 section9 sshd[26789]: Invalid user wilfrid from
114.32.122.58
Oct 28 23:40:58 section9 sshd[26787]: Invalid user wilfredo from
114.32.122.58
Oct 28 23:40:56 section9 sshd[26785]: Invalid user wilfredine from
114.32.122.58
Oct 28 23:40:55 section9 sshd[26783]: Invalid user wilfred from
114.32.122.58
Oct 28 23:40:53 section9 sshd[26781]: Invalid user wilfre from 114.32.122.58
Oct 28 23:40:51 section9 sshd[26779]: Invalid user wilford from
114.32.122.58

ANALYSIS

   - OSSEC detects the attack
   - It gives it a score of level 10
   - It blocks the IP with iptables / netfilter
   - It sends me an email

This is not the only security I have but its a big part of it. I can sip my
mocha in peace. Those other applications where bombarding me with useless
email. Now I only get the stuff I really need.

I didn't do much configuration for OSSEC to protect my box. I'll RTFM soon.
Then I can really tweak this thing... Not that it needs much tweaking.

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Thu Oct 28 16:25:32 2010