2

I've been looking for an effective intrusion prevention system (IPS) for an Ubuntu 14.04 server, something like what Symantec or F-Prot might offer for a Windows server. I've contacted major companies which say they support products for Ubuntu and other Linux distros, but they end up being anti-virus only and do not offer any protection against known vulnerabilities.

I found documentation about Snort and Suricata combined with rule managers like PulledPork and OinkMaster, but as I got deeper into it it seemed to me that these were meant to turn a server into a dedicated hardware IPS solution for a network.

  1. Can Suricata be used instead on an existing web server to simply provide intrusion prevention for that server?
  2. Is there a sample configuration available for this scenario?
  3. Would doing this slow performance down such that it would be inadvisable?
Christopher Hinkle
  • 36
  • 5

1 Answers1

0

You can definitely use Suricata as ips on your web server, but generally it's not a good idea.

May be a host based ids is better for this kind of situation. Try to look at Ossec (https://ossec.github.io). Ossec is free and very light.

Marco Bompani
  • 61
  • 5
  • As you mentioned, OSSEC is HIDS. I'm looking for something that will prevent the intrusion by detecting an exploit signature and stopping it, not something that would just alert me after the fact. It doesn't seem like HIDS would allow for that intervention, would it? – Christopher Hinkle Jun 22 '17 at 18:35
  • Your point is correct, but it's better to place the ips behind the gateway and also have an hids on the most critical servers. Don't rely solely on the ips please. – Marco Bompani Jun 22 '17 at 18:57