14 Nov 2011

OSSEC HIDS - Secure Protection for your Web Face


Running a server platform requires escalating levels of security awareness and best practice if you want it to keep functioning and your data safe. Business systems incorporate lock down policies which predominantly deal with threats from holes at user level, however if you're web facing, outside the snug protection offered by a corporate firewall, you'd better make sure you're zipped up even tighter. 
The internet is a very, very dangerous place and if you're open in anyway *they* will be in, there's nothing so certain.

Hackers are clever, much cleverer than you're average coder when it comes to getting into somewhere you don't want them to be, even so, that's not to say they're going to get into your systems regardless, and by being aware of what's on offer and taking a few sensible precautions you can secure your systems from default very quickly. 

The first steps are the most obvious, but you would be amazed (or maybe you wouldn't) at how many people leave root access open (for Linux), or the Administrator account active (for Windows), I mean, are you serious? A virus checker and a (correctly configured) firewall are another good place to start, and if (like us) you use Amazons AWS EC2 platform it's a no-brainer to tie your security group entries to specific IP addresses.
Once you have everything tied down you can sit back and relax, yes? Popping back every so often to keep and eye on things and make sure nobody has rattled the locks? Well, you could do that, or, if you'd rather be properly secure, and be notified of any and all suspect activity, with suitable blocking in place to prevent serious damage, you could install a Host Intrusion Detection System to secure and monitor your infrastructure, and if that's something you think you might be interested in you could do a lot worse to look at OSSEC. 

To quote from their website.. 

"OSSEC is a scalable, multi-platform, open source Host-based Intrusion Detection System (HIDS). It has a powerful correlation and analysis engine, integrating log analysis, file integrity checking, Windows registry monitoring, centralised policy enforcement, rootkit detection, real-time alerting and active response." 

OSSEC can also help with your PCI-DSS compliance needs, plus, as OSSEC is Open Source it does it all for free.

OSSEC operates in couple of ways, as a server, self monitoring with agents installed to sub-systems, or agent-less, which basically means it monitors the system it's installed to 'stand-alone' (useful for single servers). Microsoft server platforms can only run the agent so you need a Linux OSSEC server to monitor your Server 2003/2008 instances. This means you need an extra box, but that's not a bad thing, in fact it's the preferred option, I for one wouldn't trust an MS server to look after itself, let alone get in touch if anything dodgy happens. 

Installation of OSSEC couldn't be easier, and in most cases you really don't need to do anything other than accept the defaults and input an email address + SMTP server details (which OSSEC uses to send you alerts and reports). To install to MS servers you simply install the agent, using a pre-created agent key from the OSSEC server, connect, and that's it, the agent runs as a service so will be active from reboots and it's all good. There's even a nice web interface you can install to the server from which you can check logs etc using a GUI. 

The OSSEC website is here - http://www.ossec.net/ And, as usual, if you would like any help or advice regarding this, or would like Cirronix to install OSSEC for you, configure your server farm or W.H.Y please feel free to contact us.

1 comment:

Anonymous said...

Great article

Post a Comment