Domain: ossec.net
Stories and comments across the archive that link to ossec.net.
Comments · 19
-
Maybe these might help pt2?http://www.ossec.net/
OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. It runs on most operating systems, including Linux, MacOS, Solaris, HP-UX, AIX and Windows. Check out OSSEC features and how it works for more information about how OSSEC can help you solve your host-based security problems.
-
To start with move away from LAMP
Build a FNPP. I understand that the acronym is inferior, but I assure you that the actual end product is far far superior:
FreeBSD
Nginx
Postgresql
PHP
You are then going to want to get the box configured properly with the following:
geli encrypted root partition
ZFS Filesystem
geli encrypted swap
Nginx in its own jail
Postgresql in a separate jail and only listening on localhost
the only network access to the main system (outside the jail) is through openssh
have ssh use three factor authentication: 1. Password. 2. Google Authenticator. 3. Crypto Stick.
Enable ipfilter, and read the FreeBSD handbook for how to set it up properly
make sure that Openssh restricts itself to AES/SHA
raise the kernel securelevel to 3
make sure that openssh has a 4096 bit key and is restricted to the only the authentication methods that you are using
set portsnap and freebsd-update to run nightly in cron
install ports-mgmt/portaudit
install OSSEC from ports/security/ossec*
Follow these instructions and you will have a battle-ready hardened server. -
HIDS that server!
Whatever you used, install AND CONFIGURE OSSEC.
http://www.ossec.net/That way you have some kind of indication when the box gets hacked.
-
OSSEC a better choice
http://www.ossec.net/ with central management on locked down machines would be more helpful in detecting anomalous behavior and security issues on the systems. Its also free so no wasted tax payer money on unneeded software.
-
Re:Is it Facebook or Windows which is dangerous?
-
Already possible
OSSEC HIDS supports status updates via twitter, so your IDS control server can gossip and bitch about the ailments of its clients like a senile small-town doctor:
http://www.ossec.net/dcid/?p=168
You could also use Twidge and your imagination to come up with some cron jobs that post server status updates.
-
Re:fail2ban
OSSEC is also a good option.
-
OSSEC is what I use
OSSEC is what I've been using for years and it works well. IT's much more comprehensive a security package than fail2ban but uses log monitoring as it's basis.
It's worth a look.
-
Re:I'm (still) seeing penetration attempts
Have a look at OSSEC with active response.
-
Re:Ask Slashdot
OSSEC seems to work alright. It's not perfect but does a decent job.
-
Re:Ask Slashdot
What is the Slashdot crowd using these days for log monitoring?
-
Re:Confirmed
You might be interested in this article.
-
OSSEC is a nice tool
OSSEC HID is a very helpful simple tool to help protect your linux box (or most other OS). It watches the logs for you (ssh, apache, mail servers,
...) and spot abnormal patterns registered in XML rules then send alert mail to the box admin and is able to blacklist the IP address of bruteforce attackers for some time to avoid being dosed or ssh-bruteforced.You can whitelist your common ip adresses to avoid being blacklisted by DOS attacks with forged IP packets.
It also maintains checksums for system files to help detect rootkits or other intrusion. For more details see the project page:
http://www.ossec.net/main/
Unfortunately it is not yet packaged in all major linux distros so security updates will have to be applied manually. -
They must be kidding on the securty list
Nessus is not open source anymore! They closed their code.
ACID is not maintained, use BASE instead!
Swatch is old and outdated, use OSSEC instead!
Refs:
http://news.com.com/Nessus+security+tool+closes+its+source/2100-7344_3-5890093.html
http://base.secureideas.net/
http://www.ossec.net/ -
Re:Does rtkhunter...
That's why I use ossec - http://www.ossec.net/
-It does:
rootkit detection
integrity checking
log analysis
Giving me a better view of what is going on.... -
open source logging tool that signs the logs
AFAIK the only FOSS log analysis tool that does the hashing/signing of all the
stored logs is ossec: http://www.ossec.net/ .
We switched from logwatch/logsurfer because of it:
http://www.ossec.net/wiki/index.php/Know_How:LogSi gn -
open source logging tool that signs the logs
AFAIK the only FOSS log analysis tool that does the hashing/signing of all the
stored logs is ossec: http://www.ossec.net/ .
We switched from logwatch/logsurfer because of it:
http://www.ossec.net/wiki/index.php/Know_How:LogSi gn -
other contendersAs it happens I was just reading my locally saved copy of this related Slashdot piece, on OpenNMS. Other alternatives mentioned in the comments were:
- Cacti (an RRDtool front-end -- if you don't know what RDDtool is, you don't need this
:) ) - Munin, and
- OSSEC.
I've looked over someone's shoulder at the latter - it seems pretty good, it runs on SNMP - I tinkered with NAGIOS five years ago and found it good, but a little dangerous if you didn't read the docs before firing it up (back then, anyway, it auto-discovered the local network by strobing everything in sight with Nmap scans)... but I've no experience of any of these in production. I've been asked to build out a new office network, which will be a template for future local offices, and getting the monitoring right is going to be crucial, so any actual experience of production use gratefully received!
- Cacti (an RRDtool front-end -- if you don't know what RDDtool is, you don't need this
-
Windows is catching up to Linux!
I remember attempting to clean systems that had the Linux Rootkit installed on it in the past. Can't trust results of ps, can't trust results of netstat, can't trust anything.
I can't even imagine having this type of situation on a Windows box. There's just so many more places to hide things and most even technically knowledgable people wouldn't know what to do if their favorite process list application or network connection lister only shows you what the spyware author wants you to see.
If you can even discern there is a problem, re-formatting is your only hope.