You are here


I have found a great new tool for helping to detect intrusions on servers connected to the web. It's name is OSSEC, and is like a tripwire on steroids. It also provides virtually realtime

OSSEC is a HIDS ( Hostbased Intrusion detection system) which means that it lives on the host it is monitoring, either as a server or an agent. More on agents a little later.


OSSEC is highly configurable , just a matter of editing xml files that are laid out iin an easy to understand way. What I like most about OSSEC is that it is usable and effective with a default install. It monitors your logs, and when a rule is triggered sends an email to let you know. It checks for various access attempts, as well as, changed files, and even root kits.


OSSEC includes a large built in rule base that can be extended or added to. Granular email controls can be set to limit what is sent to your inbox, as well as a nice web interface for a complete view of alerts.


Another great feature of OSSEC is active responce. Say for instance you want to limit bad logins from ssh to a maximum of 6 in a 1.5 minute period. OSSEC can be set to block attempts after the trigger with either tcpwrappers or firewall rules for a specified period of time (default is 600 seconds or 10 minutes).


Now as I said before, installs can be either server or agent installs. The server install is for either standalone machine you are monitoring, or can be a central server to monitor all agents if you have multiple machines to monitor. For a server install, the OS must be of a Unix/Linux nature. Windows is supported, but only as an agent.


OSSEC on windows does monitor the registry, access, file changes and policies. You would need to set up a nix server to recieve the results to a central location.


There is lots more I could add about this software, but you can find out all you need at the OSSEC website.


And of course, you could either get support from them directly, or you could discuss my services for installation.

Be sure to view our Main Page and our Products page for WebServerMasters Support Services.