Security is Local, the Bad Guys are Global

This server is a very small fish in a very big pond.  This morning, some guy in Vietnam (or some bot running through an IP address there) decided to see if it could hack in by throwing a lot of different login and overrun attempts at the web service.  I have a reasonable set of firewalls between the system and the ‘net, but when you have a web server, you have to keep that port open.  The solution requires real-time analysis and action based on the traffic coming in to the web server.  I’m a little guy and commercial software to do that is expensive.  But there’s a powerful, free, open source solution, OSSEC.

OSSEC is an intrusion detection system and, right out of the box (if it came in a box), it fields an impressive array of analytic tools. It’s default mode is “watch and notify”.  I’ve had it set up that way for several months — that’s how I knew about the attack coming from Vietnam.  After this morning’s event, I’ve changed the mode to “watch, notifiy, and respond”.  OSSEC now has the ability to (temporarily) modify system parameters.  In this specific case, it would have blocked access from the specific IP address(es) running the attack. 

My little server is plugged into a stream that leads to the entire world.  Just like the ecosystem of the Great Lakes is under threat from some fish that can swim up the Mississippi, that little stream both brings opportunity and danger.  It’s necessary to be ready to handle both.