December 9th, 2006

After my post on blocking bad bots, I remembered snort. While snort doesn't do any blocking, it does detection like the best of them. I got it up and running on debian in under 15 minutes following the instructions that come with Debian, and this page:

Using the 'snort' Intrusion Detection System

Debian Snort PDF

Here's what I'm thinking for a multi-layered approach to network security:

  1. iptables firewall
  2. postfix - dnsbl for proxies and open relays
  3. fail2ban to watch logs - ssh (auth), email (spam, auth), web (auth)
  4. libapache2-mod-ifier to check bad web requests (bots, worms)
  5. snort to watch everything else and make sure nothing else improper is going on

This mostly focuses on web, email, and ssh, which happen to be highly popular network services. Beyond that, I'll have to check out what is available for ldap, voip, jabber, and more.

Yearly Indexes: 2003 2004 2006 2007 2008 2009 2010 2011 2012 2013 2015 2019 2020 2022