Hi All,

I am currently Working on Centos 5.7 x64 os.

my servers in DC which are behind the firewall.

I want to setup an intrusion detection system in my network so that i come to know when some one try to or take unauthorized login on my server. clearly Hacking in to my servers from outside network.

we mentioned list of ips in "/etc/hosts.allow" which can take ssh of the server & deny ssh=all in "/etc/hosts.deny" file.

iptable rules are configured.

i want to setup a application that is Open source (free) which can detect an attack or someone tries to take an unauthorized access to my servers. if possible Web Interface to monitor activities.

if above incident took place the application / tool should mail my team or send sms.

i searched for OSSEC, SNORT & IDS tool. i read about but very confuse about setting alert rules on to that.

If some one having better suggestions please let me know.

wanted to secure my servers at higher level.

also if possible advice me on security for Linux Server & how can i secure my servers.

I am Really interested in Computer security & want to learn badly.

Thanks in Advance.

Have a look at the sticky threads at the top of this forum. The information on intrusion detection should be useful. The reason the information you have seen is complicated is that there are a lot of things to consider when securing your system initially and then maintaining your systems and their security.

What problems did you have with SNORT and the other things you tried? If you post more information there are people who will be able to help.

...in addition to what gilead said:

Then it's 2 updates behind: current is 5.9.


What services are exposed through the DC firewall? Only SSH or what else? What have you done to secure and harden these servers except the firewall and tcp_wrappers?


Set up a host where you can test things out on. (Doesn't have to be a hard disk installation: you could use virtualization like VMware, VirtualBox, QEmu etc, etc.) After reading the documentation install the application and configure it. Test if you can make it log an alert. If it doesn't work feel free to ask specific questions providing an account of the steps you took, configuration files, error output, log excerpts et cetera.


What have you searched for and read so far?

Upon reading this, the first thing that came to mind was getting to know your log files intimately. Understand what each of them do, how they are configured, and how different aspects of your system contribute to them. While this is undoubtedly covered in the intrusion prevention references, I think it bears special mention. In my opinion it is one of the most critical, active things you can do. As well as being the most often overlooked and ignored.

I couldn't agree more. The log is your friend.