recommendations for a good intrusion logging, monitoring

Support for security such as Firewalls and securing linux
Post Reply
fooman
Posts: 16
Joined: 2011/11/16 10:32:37

recommendations for a good intrusion logging, monitoring

Post by fooman » 2012/05/24 13:26:22

I currently use iptables to lockdown one of my boxes, since I have a premade script I wrote already I haven't bothered to setup csf but will try it eventually. Just to mess around I installed dropbear and opened 22 for ssh which I have remapped because of the annoying script kiddys. Within 24 hours I was brute forced with a pattern of similar login names, I.e tomcat. I have simple security apps like rkhunter, ckconfig crontabbed but was wondering if I can get some recommendations on a ids system. Snort is popular and can be intergrated with iptables so that sounds good but and I used fail2fan but that used a ton of memory. Id like to see more logs to monitor and snort might be my next project to secure my box. Its concerning when just having port 22 opened I get a lot of scans and its mostly a lot of what I assume compromised home computers because of the ips where the attacks are coming from.

What is everyone using to be be ahead and on top of their servers security?

TIA

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: recommendations for a good intrusion logging, monitoring

Post by TrevorH » 2012/05/24 13:41:44

Disable ssh passwords and use keypairs instead. Now the attacker has to steal your id_rsa file and know the impossibly long passphrase you protected it with to gain acess.

milosb
Posts: 661
Joined: 2009/01/18 00:39:15
Location: 44 49′14″N 20 27′44″E

recommendations for a good intrusion logging, monitoring

Post by milosb » 2012/05/24 21:25:00

In addition, you can always configure tcp_wrappers to restrict SSH access to only those IPs you expect to be accessing it - that way there will be no authentication challenge whatsoever.

Post Reply