Home > Privacy, Security > Securing Your Server with a Host-Based Intrusion Detection System

Securing Your Server with a Host-Based Intrusion Detection System

  Submitted by falko Privacy, Security 5 Comments

“This article shows how to install and run OSSEC HIDS, an open source host-based intrusion detection system. It performs log analysis, integrity checking, rootkit detection, time-based alerting, and active response. It helps you detect attacks, software misuse, policy violations, and other forms of inappropriate activities.”

About The Author

Thom Holwerda

Follow me on Mastodon @[email protected]

5 Comments

  1. 2006-09-20 1:58 pm
    fak3r

    I’ve been running this on my FreeBSD server for 2 months now, and it’s been fantastic. If I so much as modify one file in /etc I get an email telling me about it. It watches a ton of other things, and is very configurable, but don’t be deterred, it runs fine on the default settings while you learn the system, and install is a snap. While the above HOWTO looks good, I installed w/o any problems from the OSSEC install doc:

    http://www.ossec.net/en/manual.html#install

    I would like to see this project get more attention, as computer security should not end at the firewall or snort.

    fak3r

    • 2006-09-20 5:21 pm
      tomcat

      [n/t]

  2. 2006-09-20 2:01 pm
    jcinacio

    I like most of the articles in howtoforge, and to be fair they help quite a lot, but i still get the feeling that most [howto’s] are a bit too dumbed down.

    In other words, most of the stuff there is targeted at sysadmins who really just can’t follow those steps and be done with it – they MUST RTFM to know the software and setup things the right way.

    Still, a great starting point for many people – thanks to all the contributors.

  3. 2006-09-20 2:58 pm
    netpython

    Would be a good practical joke when a cracker broke in and modified the message send to the admin abroad:”Elvis has left the building”.:-)

  4. 2006-09-21 11:09 am
    bailey86

    This looks like a very simple to install protection system – and if it is easy to install then it is likely to be used which is “AGT”.

    I wonder how does it compare with installing individual tools to carry out the same tasks? For example I usually install aide, logwatch, logcheck, cron-apt, chkrootkit on Debian machines as these are set up with minimal work.

    Maybe ossec is useful for non-debian machines where installing stuff is not as easy and you need to look after many machines?

    And the other issue – how would this ossec get updates? The other packages on Debian are of course updated via apt but if ossec gets out of date it may give a false sense of security.

    Don’t want to be negative because it looks like a comprehensive and easy to use system – maybe if it was packaged up for Debian it would be near perfect for busy sysadmins.