On Thu, Jan 25, 2007 at 02:07:05PM -0600, James Wade wrote:
Is anyone doing any security monitoring with Hobbit?
So, for example, monitoring to see if multiple login
attempts are being made using different accounts,
but all from the same IP address.
It's not part of Hobbit. I guess it would be fairly easy to do with the
client data, since it includes the "who" output. Writing a server-side
script which is fed all of the client data, and analyses the login data
would probably be fairly easy for someone with a bit of Perl experience.
(You'd run a command like
hobbitd_channel --channel=client myscript.pl
from hobbitlaunch.cfg. The "myscript.pl" program then gets all of the
client data, with each client message starting with "@@client#").
I use the "ports" status to check for unauthorized network services
running. Some of my co-admins weren't quite up to speed on what Hobbit
could do, so they got a bit of a scare when I phoned them and started
asking questions less than 5 minutes after they accidentally started an
SNMP daemon on one of my servers.
Regards,
Henrik