OSSEC is a security tool which can be best classified as a host intrusion detection system. It can be installed in three modes: local, agent or server. I installed it as a local install on my test box so that I could see how it worked. What a cool app! It installs in seconds and when enabled, sits in the background watching your log files, changes made to executable files and a bunch of other stuff. If it sees any funny business it drops you an email to let you know. It can even be configured to automatically add IPTables firewall rules when it detects people running attacks against your server. The default settings detected things like incorrect password attempts, initial logins by users and the creation of new users and groups. It even detects things like the existence of root kits on Linux. Most of it runs from the command line but there is a web gui as well.
I’ve been hitting the research hard looking for log analysis tools for apache and linux and this tool is going to be very useful. This may even remove the need for my centralized syslog box as it parses out the good info from the bad. We will see…. I haven’t dropped this on my production web server yet, but I will soon.
Two thumbs up for this useful tool…
Oh yeah…there is a agent for Windoze boxes as well. ;)