Anyone use an Intrusion Detection System or Prevention System that they were happy with? I've mucked with with snort and cisco, but right now it's the simple things like the following that make me real happy:
$IPTABLES -A INPUT -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j SSHSCAN
$IPTABLES -A SSHSCAN -m recent --set --name SSH --rsource
$IPTABLES -A SSHSCAN -m recent --update --seconds 300 --hitcount 5 --name SSH \
--rsource -j LOG --log-prefix "SSH SCAN blocked: " --log-level 6
$IPTABLES -A SSHSCAN -m recent --update --seconds 300 --hitcount 5 --name SSH \
--rsource -j DROP
Because with those simple iptables rules, I get to see the following and smile:
04:52:10 GMT raq0 [info] sshd[13102]: Invalid user test from 219.151.6.101
04:52:16 GMT raq0 [info] sshd[13107]: Invalid user guest from 219.151.6.101
04:52:16 GMT raq0 [info] SSH SCAN blocked: IN=eth0 OUT= SRC=219.151.6.101 DST=216.220.171.42 \
LEN=60 TTL=51 ID=4893 DF PROTO=TCP SPT=42526 DPT=22