I'm seriously considering deploying an IDS to my servers but I was wondering what the consensus was for the best option. The only one I really know about is Snort.

Has anyone had much experience with IDS software and if so which package or packages would you recommend? Ideally I'd like something that didn't put too much strain on the server itself but obviously if it is a choice between having a safer system and slightly lower performance I'll go with the lower performance.

IDS is a COMPLETE waste of time.

It's like expecting a windscreen to collect space aliens, you'll spend all your time looking at smashed bugs and rarely if ever find an actual space alien (more likely, you'll just stop looking - after all one smashed bug looks pretty much like the other 57 bazallion that will show up).

Lurk thru a few of the Firewall App forums (Ipcop, PFsense, RouterOS, etc) and see what a major hoot-fest treatment IDS posts get.

Way better to setup a good edge firewall, watch it's logs, and setup good log filters on your APPS and see what shows up.

_________________
Either provide enough details for people to help, or sit back and listen to the crickets chirp.
Security thru obscurity is a myth - and really really annoying.

deleted

Snort is well respected, but where are you going to use this? On a private network where you can say with confidence what is and is not valid and expected traffic you might get some benefit out of an IDS. If you feed it Internet traffic you will pick up constant Internet background attacks.

If you want to check your Linode hasn't been cracked you might want a filesystem based IDS like tripwire instead.

Ah, the bury the valuables in the septic field method - stinky but effective.

_________________
Either provide enough details for people to help, or sit back and listen to the crickets chirp.
Security thru obscurity is a myth - and really really annoying.

My firewalls are pretty secure (at least I think so). The HTTP servers have all ports blocked except for 443 and 80 and a random port for SSH. SSH passwords are disabled. SSH keys are 8192 bits and root login in via SSH is disabled. SSH connections are only allowed from my home static IP address. All other IP addresses are blocked.

The app servers and database servers have all ports blocked except for the relevant ports and they only allow connections from the HTTP servers (in the case of app servers) or from the app servers (in the case of the database servers). SSH servers on these machines are secured in the same way as mentioned above.

So anything I am missing here?

I'm admittedly partial, but give OSSEC a try.

Do you mean that the IDSes you have used have been too buggy to be useful? OSSEC is used on tens of thousands of systems daily and while there certainly are bugs, it's pretty stable. I personally know of environments running thousands of agents all reporting to one manager. And it does work.



Firewall logs will not tell you about new users, changed files, rootkits, changed local ports, brute-force attempts against applications and a host of other things. Good luck watching firewall logs in real time. Can you read that fast? Or, you know, you could have OSSEC, which is capable of readings thousands of logs per second, watch for multiple dropped connections from the same IP and have it automatically shun the IP for 10 minutes. Or an hour. Or ten minutes the first time it sees the IP and an hour the next time. It's up to you.

b
A bad IDS is a waste of time. Likewise so can purely signature based systems.

I rate OSSEC (a host-based intrusion detection system (HIDS)) very highly. Can't imagine Linux system admin without it.

Key features for me are:
* File integrity checking
* Log file monitoring and analysis (including detections of abnormalities)
* Email alerts
* Scriptable active responses.

agreed.

Be sure to check out the new beta of 2.7.1 and let us know of any bugs.

I assume you mean web apps, like Wordpress and MediaWiki?

_________________
Homepage www.sturmkrieg.com
Social network Gamernet
Development website Sashaweb Development
Imageboard img.sturmkrieg.com
WikiHub free wiki host Community Wiki

That's true, though crappy code could also contain vulnerabilities. Like if some noob doesn't include mysqlrealescapestring(). "My name is DROP_TABLE."

EDIT:

Not that the command would actually have been functional, but after I submitted it I hoped the forum didn't have that vulnerability.

_________________
Homepage www.sturmkrieg.com
Social network Gamernet
Development website Sashaweb Development
Imageboard img.sturmkrieg.com
WikiHub free wiki host Community Wiki

PDO prepared statements are better, you can't forget that way.

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue

deleted