I'm looking for a lean but effective IDS/IDP/WAF solution for my tiny VPS webserver.
Currently I already use iptables and psad but a lot of the web server scanning attempts slip through. I use ngingx but would prefer a web server independent solution.
What would be a lean and efficient approach to protect my tiny server from the constant scanning malware bots? Preferably low maintenance - the VPS is not too powerful as well.
Thanks a lot for hints and recommendations.
If its just a web app you want to protect then ModSecurity would be my first recommendation despite you saying that you want web server independence.
The alternatives generally include something like Snort, OSSEC, Bro, Fail2Ban and company. Each has its strengths and weaknesses. OSSEC and Fail2Ban can read log files and update firewall rules but are largely ineffective against distributed botnets. They'll spot individual attempts but many bots will try one at a time in general with a long delay from each one. Having said that there are plenty that are plain stupid that continually knock on the door.
Snort and the like are a bit hefty and require careful tending to avoid masses of false positives although as its on one box rather than an entire network it should be a bit easier. Also you will have to create your own actions, say using Fail2Ban to read the logs.
A carefully tuned ModSecurity on the other hand is likely to give you better results for a bit less effort than Snort and co. and it is already designed to protect what you want to protect rather than being a generalist like the others.
