|Table of contents|
File Systems and Partitions
Host-based Intrusion Detection System - HIDS
OSSEC (http://www.ossec.net/). Client/Server over a secure channel, very simple to setup, understand SSH and GridFTP attacks, web scanning, MySQL errors, Snort allerts, iptables messages, etc..
it offers a web interface (http://www.ossec.net/wiki/index.php/OSSECWUI) too.
For instance OSSEC can easily recognise, and automatically stop, brutal SSH attacks like:
- OSSEC HIDS Notification.
- 2008 Aug 31 13:39:46
- Received From: (pcgrid01) 220.127.116.11->/var/log/messages
- Rule: 5712 fired (level 10) -> "SSHD brute force trying to get access to the system."
- Portion of the log(s):
- Aug 31 13:46:46 pcgrid01 sshd: Invalid user test4 from 18.104.22.168
- Aug 31 13:46:40 pcgrid01 sshd: Invalid user test from 22.214.171.124
- Aug 31 13:46:38 pcgrid01 sshd: Failed password for invalid user test from 126.96.36.199 port 11147 ssh2
- Aug 31 13:46:38 pcgrid01 sshd: Invalid user test from 188.8.131.52
- Aug 31 13:46:34 pcgrid01 sshd: Invalid user test from 184.108.40.206
- Aug 31 13:46:32 pcgrid01 sshd: Failed password for invalid user test from 220.127.116.11 port 10871 ssh2
- Aug 31 13:46:32 pcgrid01 sshd: Invalid user test from 18.104.22.168
with an iptables DROP instruction on that specific client, or on all your subnet. The DROP is discarded after a tunable amount of time ( I setted that 1 day ).
On pcgrid01 OSSEC reports the DROP action in its log file.
- [root@pcgrid01 /]# grep 22.214.171.124 /var/ossec/logs/active-responses.log
- Sun Aug 31 13:48:34 CEST 2008 /var/ossec/active-response/bin/firewall-drop.sh add - 126.96.36.199 1220182874.1828379 5712
- [root@pcgrid01 /]#
Centralized logging system on MySQL with PHP frontend
Understand what is happening on a cluster of linux boxes is a complex task without some kind of centralized repository where all the informations are stored ordered by time/host. You can setup a server to be a central syslog server setting the file /etc/sysconfig/syslog and your syslog clients to send logs on that host. But I'm lazy and I hate to browse tons of info in black/white text files :-). Also you have loosed the tags bounded with the messages, basically the Facility/Priority (http://doc.novsu.ac.ru/oreilly/tcpip/puis/ch10_05.htm) syslog info and you can't use those like parameters in your queries. So if you like web tools I suggest to replace the standard syslog RPM with Rsyslog (http://www.rsyslog.com/) + Phplogcon (http://www.phplogcon.com/). Your logs will be stored both locally and on the remote MySQL DB. You should use an XFS filesystem for the MySQL files and a powerful HW to host the DB because the queries must execute in few time. After 1 month you can safely drop rows from the DB. Also you should protect the Phplogcon web access with X509 logins and allow just https connections to avoid network sniffing. In my site the iptable firewall allows the web access just from well know IPs or subnet but you could open to Internet integrating the Basic Security#Host-based Intrusion Detection System - HIDS security features.
- Example of Basic Forensic (http://blog.gnist.org/article.php?story=HollidayCracking)