[NBLUG/talk] Need advice on intrusion detection systems, etc.
Augie Schwer
augie.schwer at gmail.com
Tue Aug 2 12:44:23 PDT 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 8/2/05, Linford Mark <mlinford at santarosa.edu> wrote:
> I'm looking for some intrusion detection system advice. In the past few months, I've noticed a drastic increase in the number of "attacks" against our network. Checking our logs from each evening, I see a variety of suspicious activity hitting our computers, including:
> 1. Numerous attempts to access many different ssh accounts from the same IP address over a short period of time
The best defence against these SSH brute force attacks is still
probably to switch SSHD's listen port to a non-standard one. Not
allowing password auth. would do well too, but if this is a public
service, then you really can't do either of these.
> 3. Continuous attempts from particular IP addresses to run exploits against our web servers.
mod_security (http://www.modsecurity.org) would allow you to log and
deny such attacks; also there is a nice snort2modsec tool that comes
with the package that allows you to convert Snort rules to
mod_security rules.
Augie.
- --
Registered Linux user #229905
GPG Public Key: http://www.schwer.us/schwer.asc
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iQEVAwUBQu/NEccjCXa2d7m4AQhy7Qf/VaPZI3BvvjWV1ilXedz7St4Jfo8WedMF
uSQgUg7cGIMSsTAew23D2eGh4/lTBqSisYPMX5eX6T4WxcSz9+en+6dEeaErsYmU
Oq8C0HuA//w00pgq4LxHkFO2uwKkVdqgK1t9Fr4kfGWZGuxV9ByfB3/5BtB92bLc
s5O0C+aFLreNJO2esk2KpyHZvPzruAEDMc/prq0W2jd7pSFYqacL7rquI+Whh27I
Ly6uvpjU0FNbUTu3+VIEUvdhhZulIlFq3Tz9WJWMDz3+Zaw8carhAkIeGFyvEgYM
PZWsvMNUqHYiqeCwTUp1qwqzUxwUT1XlKD4X20BpEiyD8i9ALBKQAQ==
=9IlA
-----END PGP SIGNATURE-----
More information about the talk
mailing list