OSSEC Host-based Intrusion Detection System
Over the years we’ve investigated, trialed, used, and thrown out many options for protecting our servers, ranging from HIDS (Host-based intrusion detection system) to Rook Kit detection engines to automated scripts that check server security.
For a while now we’ve been using open source product OSSEC HIDS. We’ve even donated to their development in the past, before the company were acquired by Third Brigade and subsequently Trend Micro. Thankfully the product remains open source with the option for commercial support
So what is HIDS ?
In short, it is primarily a set of processes that continually monitor for unauthorised, strange or deliberate intrusion attempts, and then block the source IP address in the firewall or host configuration from being able to connect again. The block time is generally short, about 10 minutes, which is enough time to prevent any automated scanners or suchlike from continually attempting, and usually resulting in our host being skipped. Without wanting to tempt fate, we’ve only been compromised once, and that was through a malicious entry point in a web-based product that had not yet been identified or published. Additional features have been added to the product which we’ll mention later.
Of course this isn’t a foolproof method, nor should it be considered as the only monitoring that you should have on your server. But we really like the continual and evolving development of the product, and how the company manage to always expand the functionality a little with each release.
Currently the product features the ability to :
- Check log files on the fly according to a set of rules and take active steps
- Monitor system file integrity
- Monitor the system according to policies
- Check the system for rootkits
- Act in a standalone local, server, or as an agent for multi-host environments
- Perform real-time reporting including email notification
- Be custom configured through the use of XML files
- Can be installed on a wide range of operating systems
I read from the latest blog of the lead developer and original OSSEC founder, Daniel Cid, is also now working on a detection engine that advises when a web based application is out of date – which usually means there are vulnerabilities or security holes that have been detected and plugged.
The product is free, so why not give it a go and see what it can do for you. MG IT Solutions can also help with installation, configuration and management of this product for you if you require through our consultancy and systems administration services.