What kind of Intrusion Detection System is appropriate for a web server?

[AbeFroman]

What kind of Intrusion Detection System is appropriate for a web server?

Has anyone caught an intruder?

[nybble]

Check out "Snort", might need google to find it

[AbeFroman]

I downloaded that, please briefly describe how you use it on your web server.

[nybble]

Read the FAQ
It looks for stuff that is not normal

[kris1351]

If you don't understand the included documents I recommend going to someone like Ryan at http://www.rfxnetworks.com and having them install it and other security applications. I believe Rack911 is another good alternative for these services also.

[cyberspirit]

I would like to point out that IDS systems are not very useful if they are run on the same host they are to protect. IDS systems are much better of if they either sit in a network or on the bastion host. So do not expect too much in terms of security.

[ToddW]

Quote:

Originally posted by kris1351
If you don't understand the included documents I recommend going to someone like Ryan at http://www.rfxnetworks.com and having them install it and other security applications. I believe Rack911 is another good alternative for these services also.

Brute Force Detection from RFX Networks is great, and that URL provided step-by-step guide how to install it yourself.. FREE.

CHKROOTKIT will be useful for determing if a root kit has been placed on your server giving unwanted access to hackers/crackers.

And for more basic CPanel Security there are a few more how-tos there that should be done to CPanel and general webservers as well.

If you personally need help, or find a how-to lacking CONTACT ME! I will help you fix your problem, and FIX the how-to!!!

[thedavid]

Quote:

Originally posted by cyberspirit
I would like to point out that IDS systems are not very useful if they are run on the same host they are to protect. IDS systems are much better of if they either sit in a network or on the bastion host. So do not expect too much in terms of security.

This is definitely true. The best setup is to use a ethernet tap upstream of your boxes that you monitor. That said...

Host-based IDS is better than no IDS at all, and can be a good edition to a well layered security strategy. Since lots of folks nowadays don't colo, host-based is often the only solution (short of buying more services from their DC).

-David

[nybble]

@ servermatrix you can rexuest how they setup your servers... so for $55 you could run an IDS< plus a $50 moving charge

[AbeFroman]

What is /etc/apf?

I don't have that.

How do i get it? I am assuming its a firewall of some sort.

Quote:

Add any IP address that you want to be ignored from the rules.
If your server provider is doing monitoring add their IP(s) here.
Since you need these IPs open in APF as well you cancopy the IPs you used in APF
Type: pico -w /etc/apf/allow_hosts.rules
Then scroll down to the bottom and copy those IPs (drag mouse over that's it)
Press: CTRL-X

[ramprage]

Abe,

/etc/apf refers that you have the APF firewall installed on your server. For a full install guide please read this: http://www.webhostgear.com/61.html

[AbeFroman]

What is better Snort or LIDS and why?
What is better Snort or LIDS and why? Is snort compiled into the kernel?

What are gresecurity and pax? http://pax.grsecurity.net/
Can you use those together with Snort and lids?