Hello,
Can I protect a service like vsftpd from Brute-force attack via Suricata-IDS?
Thank you.
IDS mode is passive, so it’s no real protection you will just see a potential attack. In IPS mode you could block it if you have a rule for that.
I used https://kifarunix.com/install-and-setup-suricata-on-centos-8/ tutorial for installed the Suricata-IDS. Which mode is enabled?
Can you show me any rule about it?
IDS mode is the default mode in most cases/
I don’t have a rule for that, that’s something you either have to check in the different signature sources like Emerging Threats or write your own rule(s) to match your usecase
If the default option is IDS then what is the rule of “rules” files? They loaded but not protecting the system?
The rules are a set of signatures that tell Suricata what to “alert” on. This information is separate from the Suricata program so people can create them, and load them into Suricata. For the most part the rules look for a pattern in the network traffic and create an alert to let you know what happened. I often think of this as the start of investigating further to see if its something that needs attention, is a false positive, or just some extra noise on the network.
If you do configure Suricata to run inline, then you can optionally “drop” the packet that triggered the alert to provide protection. It is generally up to you, the user to decide what rules should be convert to drop. I personally don’t run inline so never really consider what I would turn into a drop rule.
Did you see
https://kifarunix.com/install-and-setup-suricata-on-centos-8/?
If with above configuration the Suricata-IDS just working as IDS and doesn’t protect the server, then why that tutorial used “hping” tool to launch a DDos attack and Suricata-IDS blocked it?
I don’t see anything about blocking in that tutorial. Just detecting.
Please see " Perform SSH DDoS Test Attack" section. What about now?
I think that was just a poor choice of rule to use in the example. While the rule does have a description of “ET DROP Spamhaus DROP Listed Traffic Inbound group 1”, it is just an alert rule. It would still be up to you as the user to:
- Setup Suricata to run inline.
- Convert this rule to a drop rule.