Скудный, но эффективный linux IDS / IPS / WAF? [закрыто]
Я ищу простое, но эффективное решение IDS / IDP / WAF для моего крошечного веб-сервера VPS.
В настоящее время я уже использую iptables и psad, но многие попытки сканирования веб-сервера остаются безуспешными. Я использую ngingx, но предпочитаю независимое от веб-сервера решение.
Каким будет рациональный и эффективный подход для защиты моего крошечного сервера от постоянных сканирований вредоносных программ-ботов? Желательно низкие эксплуатационные расходы - VPS тоже не слишком мощный.
Большое спасибо за подсказки и рекомендации.
If its just a web app you want to protect then ModSecurity would be my first recommendation despite you saying that you want web server independence.
The alternatives generally include something like Snort, OSSEC, Bro, Fail2Ban and company. Each has its strengths and weaknesses. OSSEC and Fail2Ban can read log files and update firewall rules but are largely ineffective against distributed botnets. They'll spot individual attempts but many bots will try one at a time in general with a long delay from each one. Having said that there are plenty that are plain stupid that continually knock on the door.
Snort and the like are a bit hefty and require careful tending to avoid masses of false positives although as its on one box rather than an entire network it should be a bit easier. Also you will have to create your own actions, say using Fail2Ban to read the logs.
A carefully tuned ModSecurity on the other hand is likely to give you better results for a bit less effort than Snort and co. and it is already designed to protect what you want to protect rather than being a generalist like the others.