On Nov 10, 11:16 pm, Tom Mostard <[email protected]> wrote: > Hi, Jeremy, > > Since the OSSEC will be installed on the same server as the Apache server, > I thought OSSEC would use too much processing. > Do you think that this would be a problem? The OSSEC "server" is gonna > check the whole traffic - and it is a heavy traffic - , so it is going to > use the CPU, a lot. > > It's going to be a Linux box, in the beginning, otherwise I'll use a > FreeBSD. > > Thanks for the reply, > > Tom > > 2011/11/11 Jeremy Lee <[email protected]> > > > > > > > > > I think it's a great idea - I'm assuming this is a Linux box? You can > > setup OSSEC to monitor the Apache logs and utilize active response to ward > > off potential abusers. Some time up-front will need to be spent tuning the > > rules, etc but it's well worth it. > > > If you have another web server (or more) for load balancing, you'd > > actually want OSSEC setup in a server-agent configuration, with an agent on > > each web server reporting to the central OSSEC server. That way you'll be > > able to correlate across all web servers. > > > Hope that helps. > > > --Jeremy > > > On Thu, Nov 10, 2011 at 8:22 PM, Tom Mostard <[email protected]>wrote: > > >> Hi, folks, > > >> I've got a newbie question, I hope someone can say something about it. > > >> I'm planning to put out a web server (running Apache) which is gonna have > >> a heavy load of traffic. > >> And I'm wondering about installing OSSEC on this server. > >> What do you guys think about it? > > >> In the future, I'm gonna have another web server for load balance. > >> Should I install OSSEC on the both server, or should I think about > >> another architectural design? > > >> Thanks, > > >> Tom
If possible I'd recommend separating the server portion of OSSEC from your production systems. This way if your public web server is compromised it won't keep OSSEC from being useful to your other systems. OSSEC's primary ability to protect web servers is by monitoring the Apache logs, which actually doesn't use too many resources. One alternative to monitoring the logs on your high traffic server is using syslog to send all logs to a collection server and have OSSEC monitor those files. That would keep the processing done by OSSEC off the web server, but I'm unsure how active responses would work. That part would take some tweaking. I've seen mention on this list of having active response send it's commands to remote systems, such that multiple systems block the same IP when any of the servers detects a threat.
