OSSEC reviewed

I’ve been running OSSEC for about six weeks now. General thoughts – it’s pretty easy to get up and running. The server client is sitting on my fedora mail/web/firewall/sql server and I have two of the windows client apps sitting on the fishcam box and my workstation desktop.

Setup was easy, only took a few minutes.

The good:
– Advanced monitoring clued me into a bunch of spammers who kept trying to use me for recursive lookups for gmail.
– Alert messages whined about the postmaster account not having a valid destination until I finally fixed it. Wow, I now get over a thousand spam messages a day (domain, uucp, ftp, ntp, webmaster .. all drain into that mailbox). Gmail’s anti-spam system has held up remarkably well, worst day I got about 12 spam – which was annoying until I realized what a massively high percentage it was getting right.

The bad:
– I setup a motion activated webcam at one point that would email copies of the pictures every time it detection movement. When the connection attempt violated the anti-relay mail policy, ossec dropped it’s public ip address into it’s hosts.deny file. That was unpleasant until I manually whitelisted it. In retrospect, whitelisting your own ip address makes sense – and would probably happen automatically if I wasn’t doing a goofy double nat thing with another router.
– Getting a flood of emails everytime I run an update is annoying, but I’m willing to live with it.

In general, I think every office should have something like this running. I’d bet it would be even more interesting if there was a real client/server network going with a bunch of MS boxes chatting back and forth to each other. You’d have to be willing to deal with that additional noise it brings to the experience however.

This entry was posted in Security. Bookmark the permalink.

Leave a Reply