Results 1 to 11 of 11
  1. #1

    Do I need Intrusion Detection?

    Hi everyone,

    I recently purchased a small (1GB) unmanaged VPS plan for standard Drupal hosting.
    Because my client is politically involved, I'd like to lock down the machine as much as possible. But peformance impact is still an issue.
    So I wanted to ask you, do you think that for such a machine, I'd need an intrusion detection/prevention system like Snort or OSSEC?
    Also, if it's relevant, antivirus software like ClamAV?
    Do you know how efficient these are, and if they can slow down a small VPS like mine?

    Thanks!

  2. #2
    Join Date
    Mar 2012
    Posts
    1,154
    Why a VPS? Why not a business pro quality shared hosting or a semi dedicated shared?

  3. #3
    Why a VPS? Why not a business pro quality shared hosting or a semi dedicated shared?
    Why not shared: It's a RAM-hungry website. I need guaranteed resources.
    Why not semi dedicated: I'm broke. My client too :p
    Why Unmanaged: I want to learn as much as possible in the process.

    An Unmanaged VPS gives me an awesome price/performance ratio.
    Do you have an opinion on the usefulness of AV/IDS/IPS on small web servers?

  4. #4
    Join Date
    Mar 2012
    Posts
    1,154
    Go with ConfigServer Firewall, that should be enough.

  5. #5
    Join Date
    Jun 2006
    Location
    India
    Posts
    334
    If that is the case, then route the web traffic through Cloudflare, Incapsula or something similar, host the mail on third party server eg. Google Apps, so that anyone specifically targeting him, will have to do at least some extra work, before getting to your VPS.

    Oh yes, if this is a production site and that too for a client, I would leave the learning to a cheap test VPS somewhere else and get a managed VPS. Last thing you want is site being down, because you broke something while learning and that politically involved client getting angry with you!

  6. #6
    Join Date
    Nov 2002
    Location
    Portland, Oregon
    Posts
    2,948
    CSF might not be enough. I've hosted plenty of political web sites, one was the first openly gay man to run for US Senate in Oregon. Some people apparently believe this is a bad thing, so I did a lot of pre-planning. The site was only targeted for a DoS one time, but I saw some crazy sh** passing through the Apache error logs.

    Point is, you never know - someone may find that one open hole and you're screwed -- if it's a hot issue, absolutely get CSF installed, and rkhunter. And chkrootkit. And LSM. And I'd also advise installing a security plugin for Drupal. Something which uses .htaccess to redirect administrator URL's to a 404, block weird looking user agent strings and the like. Learn about Mod Security.

    Run over to R-fx and download/install Maldet to top it off:

    https://www.rfxn.com/projects/linux-malware-detect/

    Set up a cron job to run 'maldet -a /path/to/webroot/*/*' or something along those lines -- check the docs. You'd need ClamAV for this.


    Hope this helps Good luck!
    Last edited by Technolojesus; 12-24-2013 at 02:45 AM.
    | John Edel Jetfire Networks L.L.C. Trusted Hosting Solutions
    | Consistent, Reliable, Stable OpenVZ & KVM Virtual Private Servers
    | SpamWall AV & Full SMTP Filtering
    Now an SSLStore Titanium Partner!

  7. #7
    Great answers, wasn't expecting such detail, thanks! =D
    One small question, though: wouldn't all these security systems stack up and bring a 1GB VPS to its knees?
    Also, a question that's been bothering me for long: the site used to be hosted on DreamHost managed VPS (ughh...). Are big hosts like that inherently more secure? They're good at keeping that part secret!
    Finally, I thought the CloudFlare idea was awesome as they offer a generous free plan and have POPs worldwide, which is a big plus as many users are in EMEA =)


    jetfirenetworks, your experience is extremely interesting. I'm looking up CSF/rkhunter/chkrootkit/LSM/maldet right now.
    Last edited by th3m1773n; 12-24-2013 at 04:03 AM.

  8. #8
    Join Date
    Nov 2002
    Location
    Portland, Oregon
    Posts
    2,948
    If you're hosting a single site on this VPS (mail server included) and it's your basic LAMP with no control panel, you might cut it a little close at peak points but you should be fine. You're going to see the most memory use from ClamAV and CSF most likely. Maldet should be OK if you're scanning only one or two webroots, it may hold some of that memory, but if you get a VPS with swap/vswap configured you'll have more breathing room... 1GB fast memory + 1GB slow memory would be better than no swap at all.

    I'm running everything I mentioned earlier on both cPanel and Interworx, for the shared clients, plus the full ConfigServer suite. Right now both cPanel/WHM servers are utilizing 1.1 GB of a 4GB memory allocation, and the Interworx server between 650 and 800 MB. When you run a clamscan you may notice some slowness while it runs. You may consider at least 1.5 GB physical memory to be safe. The extra 512M will make a difference.
    | John Edel Jetfire Networks L.L.C. Trusted Hosting Solutions
    | Consistent, Reliable, Stable OpenVZ & KVM Virtual Private Servers
    | SpamWall AV & Full SMTP Filtering
    Now an SSLStore Titanium Partner!

  9. #9
    Alright! All this sounds very good, thank you so much for all these answers.
    I was thinking about upgrading to 2GB (+ 2GB VSwap), as it's not that expensive after all.

    To be more specific, the VPS will only host one production Drupal install ('bout 200k pageviews/month), and 2 test/staging installs. No Control Panel.
    Also running MySQL locally, as well as APC + Memcached + Varnish, all of which are quite RAM-hungry...
    All mail and services hosted on Google Apps.

    Do you think that offloading some of the security work to systems like incapsula/cloudflare is a good option?

  10. #10
    Join Date
    Nov 2002
    Location
    Portland, Oregon
    Posts
    2,948
    Set up a cron job to run 'maldet -a /path/to/webroot/*/*' or something along those lines
    I should have mentioned, obviously you'd want to set this up in a standard cron format.
    | John Edel Jetfire Networks L.L.C. Trusted Hosting Solutions
    | Consistent, Reliable, Stable OpenVZ & KVM Virtual Private Servers
    | SpamWall AV & Full SMTP Filtering
    Now an SSLStore Titanium Partner!

  11. #11
    Join Date
    Nov 2002
    Location
    Portland, Oregon
    Posts
    2,948
    Quote Originally Posted by th3m1773n View Post
    Alright! All this sounds very good, thank you so much for all these answers.
    I was thinking about upgrading to 2GB (+ 2GB VSwap), as it's not that expensive after all.

    To be more specific, the VPS will only host one production Drupal install ('bout 200k pageviews/month), and 2 test/staging installs. No Control Panel.
    Also running MySQL locally, as well as APC + Memcached + Varnish, all of which are quite RAM-hungry...
    All mail and services hosted on Google Apps.

    Do you think that offloading some of the security work to systems like incapsula/cloudflare is a good option?
    It may have some benefits - 200k is a decent amount of traffic, plus I recall Drupal (vanilla) being rather greedy with the resources, but going with a 2x2 RAM+VSwap is going to make all the difference in the world. Varnish...that I'd have to test again since it's been a while & I can't recall exactly how much RAM it took up.

    Suggest ordering the VPS from your provider and installing all of the non security-related necessities first. See how the VPS is holding up, and immediately after, apply the security measures singularly, run through them once or twice, keeping an eye on your resources, move to the next tool, and so on. Still, with the VSwap, you'd have a 4GB (total) designation on the container. Assuming the provider isn't overselling, you shouldn't really have to worry about much more than monitoring logs after the installs are complete.
    | John Edel Jetfire Networks L.L.C. Trusted Hosting Solutions
    | Consistent, Reliable, Stable OpenVZ & KVM Virtual Private Servers
    | SpamWall AV & Full SMTP Filtering
    Now an SSLStore Titanium Partner!

Similar Threads

  1. tripwire Intrusion Detection
    By 31special in forum Hosting Security and Technology
    Replies: 3
    Last Post: 08-01-2007, 10:45 AM
  2. Intrusion Detection
    By taisp in forum Hosting Security and Technology
    Replies: 12
    Last Post: 09-04-2006, 07:51 PM
  3. Intrusion Detection - I need help
    By massmedia in forum Hosting Security and Technology
    Replies: 5
    Last Post: 09-23-2005, 08:32 AM
  4. Intrusion detection
    By E-Insites in forum Hosting Security and Technology
    Replies: 8
    Last Post: 07-10-2004, 02:35 AM
  5. Intrusion detection
    By nix-guru in forum Hosting Security and Technology
    Replies: 4
    Last Post: 01-16-2004, 06:25 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •