Automated detection and response to attacks
OSSEC
Author(s): KURT SEIFRIED
Learn how to monitor and block attacks without lifting a finger.
One of the first things I learned about computer security was logging. If you don’t have logs, then trying to reconstruct what happened when something breaks, or when you get broken into, is almost impossible. The second thing I learned was that you have to centralize your logging; this is the only way to get a complete picture and ensure that an attacker can’t simply wipe the logs on a compromised host, leaving you nothing to work with. But none of this will alert you to an attacker or, even more importantly, stop an attacker from getting in. It will simply give you something to look at once you figure out you have been broken into. For this, you need a human being in the loop, right? Well, you either need a human being or some smart software.
Wouldn’t it be great if you could monitor critical logfiles (like mail and web) and actually have something respond to attacks, notifying you and even blocking the attacker from further access if you so wished? Well you’re not the only one. Daniel B. Cid is the lead developer of the OSSEC project, an effort to build an open source host-based intrusion detection system. OSSEC uses a traditional server and agent approach: You install the agent software on each system you want to monitor, and a central server collects all the data and sends out alerts. Additionally, the OSSEC project has released a web-based interface; however, it is only capable of reporting. Unfortunately, it can’t be used to configure the system.
Read full article as PDF »
|
Special Linux Magazine 3 for 1 Offer
|
|---|
|
Get 3 Issues + 3 DVDs for the price of a single issue!
Let Linux Magazine's hands-on, technical articles guide you in your daily Linux use. Check out bonus DVDs like Ubuntu, SUSE, or Fedora and save the download.
Only available for a limited time. Don't miss out!
more...
|
|
Comments