I am a huge fan of OSSEC for knocking down or out the noise that comes from daily life on the internet. Be it some annoying bot from China, Brazil, India, Russia, or the Netherlands, a targeted attack or scan of your site, or a researcher like HD Moore and the Critical.IO project, your server(s) get scanned constantly for security weaknesses. This gets worse during US holidays as the volume of scan traffic increases significantly. Hell, you can even set your watch based on the interval of some of the SIP and SSH scans.
OSSEC is a Host Based Intrusion Detection/Prevention solution (HIDS or HIPS for short). It monitors your various system and service logs looking for common attack traffic such as, configuration scans and weak password attacks, as well as rootkits and blocks the offending IP address from the system and notifies someone that you are being attacked.
By leveraging a solution like this, you can get a bit of proactive security by automatically locking out an attacker’s IP address. By doing this, you also reduce the amount of noise that makes its way into your various system logs. Thus reducing filesize and “crap” that needs to be investigated.
Getting OSSEC up and running on Linux, Windows, and most other OSes is a breeze. OSX leaves a bit to be desired (aka i’m not a fan of the latest versions of Xcode from the past two years – I shouldn’t be forced to install nearly 2 gigs of iOS crap just to get a decent dev environment going on a desktop system). Couple this with the fact that I’m using MAMP as alternative to the native Apache install that comes with OSX (because unlike Apple the MAMP group actually updates Apache and PHP on a semi-regular basis) and you are left with a bit of “fun” to get things up and running smoothly.
So how to get started – I could get long winded here but i’m going to cheat, several sites already have the important part of how to get OSSEC up and running on Mountain Lion, I’ll just start with how to get MAMP working with it.
So, Step 1 – Go Here and follow the guides to get Xcode and GCC running on OSX, substitute the version of OSSEC with the latest (2.7) and install.
Step 2 – To properly catch scanner activity, you will need access to both the error log and the access log from Apache. MAMP only creates the error log by default. Follow the steps outlined HERE to enable the Apache Access log file.
Step 3 – edit your ossec.conf file and add the Apache logs (and any of the other ones from MAMP) to the list of local files for OSSEC to read and monitor:
Create a new entry for each log file you want to monitor (start at the bottom of the config file)
Step 4 – tweak OSSEC as needed, and test.. you can use nikto or wpscan against your server… you should get a warning you are getting scanned and when OSSEC blocked the IP address.