On Nov 10, 10:22 pm, Tom Mostard <[email protected]> wrote: > Hi, folks, > > I've got a newbie question, I hope someone can say something about it. > > I'm planning to put out a web server (running Apache) which is gonna have a > heavy load of traffic. > And I'm wondering about installing OSSEC on this server. > What do you guys think about it? > > In the future, I'm gonna have another web server for load balance. > Should I install OSSEC on the both server, or should I think about another > architectural design? > > Thanks, > > Tom
I've been using OSSEC on all my public facing web servers (and now internal due to recent compromise of someone else in my network) for a little over a year, and am amazed at how much potential problems and actual threats are thwarted. I'd HIGHLY recommend enabling the "route- null" active response, as that will block ALL traffic to any IP seen as a threat. I'd also recommend monitoring the active-response.log file to be alerted of potential and known attacks. The alert is now built into 2.6 but some useful info is here, http://itscblog.tamu.edu/ossec-email-alerts-on-active-responses/. If your running a tried and true CMS, you won't have much trouble, but if there is development done on the server, you need to make sure to whitelist any developer's IPs. Many times I've been doing changes to a site and would generate too many errors which would then get me blocked for 10 minutes. So now my desktop at work is white-listed. Even my lower traffic sites are constantly getting trolled by bots poking to find out if I have certain vulnerable applications installed, but OSSEC does an amazing job at stopping all attempts. An example...my multisite Wordpress server is constantly getting poked at by bots looking for timthumb.php and various DB management apps. Over time OSSEC will give you a good way of knowing what common things attackers are looking for, and you can adjust accordingly. - Trey
