OSSEC Security

[MiteshShah]

https://rtcamp.com/support/topic/ossec-security/

I’m not sure if this is something that has been considered but OSSEC is a “Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response”. I use it on my server to keep an eye on authentication logs and such. Possibly something to include in the upcoming security release? I was hesitant to post since EasyEngine is targeted towards WordPress, but it provides security support to the server in general.

[ghost]

May be a good idea, as long as it can be selectively enabled (on/off). I run couple of programs that enhance security and: a) my system logging daemon now consumes 325 MB of system virtual memory (that is, quite a lot) and b) once you get a bunch of gizmos running on the same box, it becomes very difficult to troubleshoot stuff. Last week I doubled my hosting fee (I went from 512 MB to 1 GB of RAM) because I couldn't find what part of OS is eating up all that swap space.

[houk]

Would it be worth doing a security milestone? There are some things that you can probably do the the ee stack install stage to secure the box for paranoid administrators (using naxsi with some decent rules for example)

[harshadyeola]

https://code.google.com/p/naxsi/wiki/Howto Nginx naxsi firewall module for nginx

[shaneholloman]

@MiteshShah I'm currently using OSSEC with easyengine droplets. Very easy to use and super effective. I never knew how many SSH intrusion attempts I was getting till installing OSSEC. I vote for this. @harshadyeola I'm now curious about naxsi vs ossec. Thx for sharing that ; )

[MiteshShah]

@shaneholloman Can you share your config and step to install/configure OSSEC Its help us to test and automate this OSSEC install/configure process in future

[shaneholloman]

@MiteshShah Man, I'm so sorry I missed this! I will write up a step by step this weekend and post here : )

[shaneholloman]

Actually I found the initial guide that helped me: https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-ossec-security-notifications-on-ubuntu-14-04

I'm happy to redact this to pure command lines only if it helps you. Otherwise this worked perfectly for me

[rahul286]

@shaneholloman Thanks for link. :-)

May I know how much overhead this tool add to server? Overhead as in CPU load, RAM consumed (assuming it will be running as daemon)

Will it work nicely on 512MB droplet?

[shaneholloman]

@rahul286 It uses very little CPU and Ram in conjunction with fail2ban and UFW... I use with ease on a 512MB and a 2GB droplet

If you send your pubkey I will give access to 2GB and 512 droplets of mine both using the latest EE version

[rahul286]

Great. :-)

Thanks for details.

I will try to test DigitalOcean article this weekend only.

[ghost]

As security focused as IT has become, I'd like to weigh in as a +1 for this idea and inquire about where consideration of OSSEC has landed, in relation to EE?

[hbaker]

Sorry to bump such an old thread, but did this get anywhere? I'd love to have OSSEC as on add-on option in EE.

[rahul286]

Update: we are tracking all feature requests under a new https://github.com/EasyEngine/feature-requests/ repo so moved this issue.