On Thu, Jan 25, 2007 at 02:07:05PM -0600, James Wade wrote:

Is anyone doing any security monitoring with Hobbit?

So, for example, monitoring to see if multiple login attempts are being made using different accounts, but all from the same IP address.

It's not part of Hobbit. I guess it would be fairly easy to do with the client data, since it includes the "who" output. Writing a server-side script which is fed all of the client data, and analyses the login data would probably be fairly easy for someone with a bit of Perl experience. (You'd run a command like hobbitd_channel --channel=client myscript.pl from hobbitlaunch.cfg. The "myscript.pl" program then gets all of the client data, with each client message starting with "@@client#"). I use the "ports" status to check for unauthorized network services running. Some of my co-admins weren't quite up to speed on what Hobbit could do, so they got a bit of a scare when I phoned them and started asking questions less than 5 minutes after they accidentally started an SNMP daemon on one of my servers. Regards, Henrik