On 11/01/13 01:25, Mike Burger wrote:
On 11/01/13 00:19, Mike Burger wrote:
That's what I figured, after having looked at the analysis.cfg man page
multiple times.
If I want to do this, then, I'm going to have to script something to
analyze X amount of time and do something if it sees occurrences>=Y and
then feed that to Xymon somehow.
Thanks.
You might be able to use something like fail2ban, and configure it to
simply add some text to a logfile instead of adding a iptables entry....
Then let xymon monitor this fail2ban logfile....
Possibly overkill, but just thought I'd mention it... better to re-use
something that already exists...
At home, I use DenyHosts to do something similar on my publicly connected
systems.
At work, I've got two issues preventing this:
A) No iptables in use on the internally networked Linux systems.
B) The system where I'm looking to implement this approach is an AIX
system, so there's no iptables or any other onboard firewall.
The real reason we're looking at this, at all, is for security auditing
purposes. We can't keep an active eye on failed logins, all day, so we're
looking for something that can be used to alert us if an arbitrary number
of failed logins occurs within an arbitrary amount of time, based on the
audit logger's stream.
Right, and fail2ban (which uses python and I'm assuming is portable to
AIX) can be configured to do anything you ask it, by default, it adds a
firewall rule to iptables. There is nothing stopping you from disabling
the iptables calls, and simply using the fail2ban log itself, or
changing the iptables command to instead add some log entry somewhere
which is then fed into xymon.
Regards,
Adam
--
Adam Goryachev
Website Managers
www.websitemanagers.com.au