----- Message from "James Wade" <user-659655b2ea05@xymon.invalid> on Thu,
25 Jan 2007 14:07:05 -0600 -----
To:
<user-ae9b8668bcde@xymon.invalid>
Subject:
Security Monitoring
▸ quoted from Henrik Størner
Is anyone doing any security monitoring
with Hobbit?
So, for example, monitoring to see if multiple login
attempts are being made using different accounts,
but all from the same IP address.
Thanks?.James
----- Message from user-ce4a2c883f75@xymon.invalid (Henrik Stoerner) on Thu, 25 Jan 2007 22:16:06 +0100 -----
To:
user-ae9b8668bcde@xymon.invalid
Subject:
Re: [hobbit] Security Monitoring
▸ quoted from James Wade
On Thu, Jan 25, 2007 at 02:07:05PM -0600, James Wade wrote:
Is anyone doing any security monitoring with Hobbit?
So, for example, monitoring to see if multiple login
attempts are being made using different accounts,
but all from the same IP address.
It's not part of Hobbit. I guess it would be fairly easy to do with the
client data, since it includes the "who" output. Writing a server-side script which is fed all of the client data, and analyses the login data
would probably be fairly easy for someone with a bit of Perl experience.
(You'd run a command like hobbitd_channel --channel=client myscript.pl
from hobbitlaunch.cfg. The "myscript.pl" program then gets all of the
client data, with each client message starting with "@@client#").
I use the "ports" status to check for unauthorized network services running. Some of my co-admins weren't quite up to speed on what Hobbit
could do, so they got a bit of a scare when I phoned them and started
asking questions less than 5 minutes after they accidentally started an
SNMP daemon on one of my servers.
Regards,
Henrik
James:
Here is something I am in the process of doing. There is a security scoring program available from CIS (The Center for Internet Security) http://www.cisecurity.org. They have free tools available for many popular flavors of Unix. It would be fairly easy to run the tool filter the output and send said data to Hobbit. I plan on doing this at some point in the future.
Regards,
Jim
This message, and any attachments to it, may contain information
that is privileged, confidential, and exempt from disclosure under
applicable law. If the reader of this message is not the intended
recipient, you are notified that any use, dissemination,
distribution, copying, or communication of this message is strictly
prohibited. If you have received this message in error, please
notify the sender immediately by return e-mail and delete the
message and any attachments. Thank you.