Hi Eero
All good points. If you recall, I assumed you already have it installed,
so I didn't get into active response or integrity checks at all. I also
don't mention it because in my experience, large website owners don't
want it on by default, one of the reasons is because of the false
positives. Say you're accessing your /administrator, /admincp, or
/wp-admin directories, depending on what you're doing and the numbers of
posts you could block yourself.. : / This can also be caused by comments
and other similar activities, so for a beginner post didn't want to get
to crazy.
The configurations I provided should cause very little headaches for
folks, and that's the idea right? Get them going with little headaches.
There are also issues with active response and poorly configured boxes
where they get stuck in memory and honestly didn't want to venture into
it at the moment.
You do have a good point about the logall option, actually debated
including it and decided against it for this one. I should probably
clarify that this is a server install, not a agent / server relationship
where the logall would really come into play. If it's all on the same
box no sense logging all right, it'd just be redundant wouldn't it? I
plan to write others on the appropriate remote configuration between
agents / servers and that's where I envision the logall option really
being more appropriate. But good observation.
What do you think?
On 3/13/13 11:37 AM, Eero Volotinen wrote:
2013/3/13 Tony Perez <[email protected]>:
Hey Folks
I put together this little post to better help those that are using OSSEC on
their web servers:
http://tonyonsecurity.com/2013/03/13/ossec-for-website-security-part-i/
It's nothing too complicated but a little something that many seem to forget
or not think about. Hope it helps someone.
Looks good, but how about activating active responses too? and also
logall option? and some scripts for sms alerts? :)
--
Eero
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
