Dear all, Please advice for some feature rich and automatic IDS sw for SUSE Linux. I'm seeking for a IDS that I can setup a event/action combination. P.E. If somebody try an unauthorized login on a system after three atempt I would like to ban this adress for some time (24h) I have an idea how to resolve that using a log parsing and iproute command but I'm affraid that the performance of my server will drop dramaticly. Thanks. Regards, Dragan Andric
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! Dragan Andric schrieb:
Dear all,
Please advice for some feature rich and automatic IDS sw for SUSE Linux. I'm seeking for a IDS that I can setup a event/action combination.
P.E. If somebody try an unauthorized login on a system after three atempt I would like to ban this adress for some time (24h) I have an idea how to resolve that using a log parsing and iproute command but I'm affraid that the performance of my server will drop dramaticly.
Try snort, it's provided within SuSE maybe in combination with other atuff (scanlogd, logcheck). Philippe - -- Dipl.-Ing. Philippe Vogel Universität Duisburg-Essen Fachbereich Ingenieurwissenschaften Werkstofftechnik I/IPE Tel.: 0203 / 379 - 1566 Fax : 0203 / 379 - 5118 WWW : http://wt.uni-duisburg.de/vogel/ E-Mail: vogel@wt.uni-duisburg.de - -- Diese Nachricht ist digital signiert und enthält weder Siegel noch Unterschrift! Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt! - -- Diese Nachricht ist digital signiert und enthält weder Siegel noch Unterschrift! Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQD1AwUBQ0VGoENg1DRVIGjBAQJOBAcAi2JeUYOjenxt4JWvaeMkCsOzAlxjMltQ Gg/Eiv06gEh0Lxrr7qyFi/xgfo6WAh3KVyFAc3qF5Jjisoz9kqD21nlY15e/F5jy +w4KPgnMa9a/zl89a9qXaHR8P+rENl/gxh0wxvKplK84iuViWztuNNN2uuNi5+Z5 8UeKXvPUObO/kGLXh6SkhgzyAwNbC1N/AhC7BTQ8YK2aNKFzTYZFjJiEV4CxMken C+px25BbXK50/r3qrJ/5M380joYdAWw2agZx30RQTMFUsUDSMsY1g+6c4b3UN9e7 h4uPro1UGb4= =99jX -----END PGP SIGNATURE-----
On Thursday 06 October 2005 11:11, Dragan Andric wrote:
Dear all,
Please advice for some feature rich and automatic IDS sw for SUSE Linux. I'm seeking for a IDS that I can setup a event/action combination.
Not quite an IDS, but works very nicely for login failures: http://denyhosts.sourceforge.net Ron
Dragan Andric wrote:
Dear all,
Please advice for some feature rich and automatic IDS sw for SUSE Linux. I'm seeking for a IDS that I can setup a event/action combination.
P.E. If somebody try an unauthorized login on a system after three atempt I would like to ban this adress for some time (24h) I have an idea how to resolve that using a log parsing and iproute command but I'm affraid that the performance of my server will drop dramaticly.
Enterasys Dragon is probably one of the best (http://www.enterasys.com/ids/). In case your 6-figure budget got cut a a bit, you can also try "prelude" (http://www.prelude-ids.org). cheers, Rainer
On Thursday 06 October 2005 8:11 am, Dragan Andric wrote:
P.E. If somebody try an unauthorized login on a system after three atempt I would like to ban this adress for some time (24h)
login_sentry is working great here for me. http://www.lumiere.net/~j/login_sentry/ Scott -- POPFile, the OpenSource EMail Classifier http://popfile.sourceforge.net/ Linux 2.6.11.4-21.9-default x86_64 SuSE Linux 9.3 (x86-64)
On Thu, 6 Oct 2005, Dragan Andric wrote:
[...] P.E. If somebody try an unauthorized login on a system after three atempt I would like to ban this adress for some time (24h) I have an idea how to resolve that using a log parsing and iproute command but I'm affraid that the performance of my server will drop dramaticly.
SSH might be a little problem in this scenario but "pam_tally" does exactly this job... Regards Henning Hucke -- The life which is unexamined is not worth living. -- Plato
participants (6)
-
Dragan Andric -
Henning Hucke -
Philippe Vogel -
Rainer Duffner -
Ron Joffe -
Scott Leighton