Quote:
Originally Posted by esaym
I just used psad because I only wanted to block people that port scan
|
Depending on the purpose of the machine (given the OP runs Apache) just portscans may be the least of his worries.
Quote:
Originally Posted by esaym
snort, just takes too much time for me to eliminate false positives. Plus it only alerts, not block
|
A little tweaking of the config and rulesets (and maybe a threshold or BPF filter) can help. For blocking with "regular" Snort there's third party apps like Guardian.
Quote:
Originally Posted by mike2010
Trying to figure out which Intrusion Detection System would be best for me. I've got a CentOs 5 / Linux / Apache system.
|
"The best" is as vague as it gets. But since you've mentioned "user friendly" too maybe it's just you're afraid to invest time to learn to handle an IDS? Given the fact you're running something on Apache I'd suggest you review the machines access controls and exposed services and complement your SW toolkit with some initial assessment tools like Tiger and OpenVAS (Atomic Rocket Turtle repo, run it from a
remote host), a rootkit and malware scanner like Chkrootkit or Rootkit Hunter (OSSEC HIDS includes a scanner), a filesystem integrity checker like Samhain or Aide, Snort + Guardian, Logwatch (and read the reports), fail2ban or denyhosts and mod_security.
This is by no means complete. Do search the 'net for the term "hardening" (or see
this) using those correctly you stand a better chance.