----- Message from "James Wade" <jkwade at futurefrontiers.com> on Thu, 25 Jan 2007 14:07:05 -0600 -----
To:
<hobbit at hswn.dk>
Subject:
Security Monitoring
Is anyone doing any security monitoring with Hobbit?
So, for example, monitoring to see if multiple login attempts are being made using different accounts, but all from the same IP address.
Thanks?.James
----- Message from henrik at hswn.dk (Henrik Stoerner) on Thu, 25 Jan 2007 22:16:06 +0100 -----
To:
hobbit at hswn.dk
Subject:
Re: [hobbit] Security Monitoring
On Thu, Jan 25, 2007 at 02:07:05PM -0600, James Wade wrote:
Is anyone doing any security monitoring with Hobbit?
So, for example, monitoring to see if multiple login attempts are being made using different accounts, but all from the same IP address.
It's not part of Hobbit. I guess it would be fairly easy to do with the client data, since it includes the "who" output. Writing a server-side script which is fed all of the client data, and analyses the login data would probably be fairly easy for someone with a bit of Perl experience.
(You'd run a command like hobbitd_channel --channel=client myscript.pl from hobbitlaunch.cfg. The "myscript.pl" program then gets all of the client data, with each client message starting with "@@client#").
I use the "ports" status to check for unauthorized network services running. Some of my co-admins weren't quite up to speed on what Hobbit could do, so they got a bit of a scare when I phoned them and started asking questions less than 5 minutes after they accidentally started an SNMP daemon on one of my servers.
Regards, Henrik
James: Here is something I am in the process of doing. There is a security scoring program available from CIS (The Center for Internet Security) http://www.cisecurity.org. They have free tools available for many popular flavors of Unix. It would be fairly easy to run the tool filter the output and send said data to Hobbit. I plan on doing this at some point in the future. Regards, Jim ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you.