Security Monitoring

James B Horwath Jim_Horwath at glic.com
Fri Jan 26 15:30:00 CET 2007


> ----- Message from "James Wade" <jkwade at futurefrontiers.com> on Thu,
> 25 Jan 2007 14:07:05 -0600 -----
> 
> To:
> 
> <hobbit at hswn.dk>
> 
> Subject:
> 
> Security Monitoring
> 
> Is anyone doing any security monitoring
> with Hobbit?
> 
> So, for example, monitoring to see if multiple login
> attempts are being made using different accounts,
> but all from the same IP address.
> 
> Thanks?.James
> 
> 
> 
> ----- Message from henrik at hswn.dk (Henrik Stoerner) on Thu, 25 Jan 
> 2007 22:16:06 +0100 -----
> 
> To:
> 
> hobbit at hswn.dk
> 
> Subject:
> 
> Re: [hobbit] Security Monitoring
> 
> On Thu, Jan 25, 2007 at 02:07:05PM -0600, James Wade wrote:
> > Is anyone doing any security monitoring with Hobbit?
> > 
> > So, for example, monitoring to see if multiple login
> > attempts are being made using different accounts,
> > but all from the same IP address.
> 
> It's not part of Hobbit. I guess it would be fairly easy to do with the
> client data, since it includes the "who" output. Writing a server-side 
> script which is fed all of the client data, and analyses the login data
> would probably be fairly easy for someone with a bit of Perl experience.
> 
> (You'd run a command like 
>     hobbitd_channel --channel=client myscript.pl
>  from hobbitlaunch.cfg. The "myscript.pl" program then gets all of the
>  client data, with each client message starting with "@@client#").
> 
> I use the "ports" status to check for unauthorized network services 
> running. Some of my co-admins weren't quite up to speed on what Hobbit
> could do, so they got a bit of a scare when I phoned them and started
> asking questions less than 5 minutes after they accidentally started an
> SNMP daemon on one of my servers.
> 
> 
> Regards,
> Henrik
> 

James:

Here is something I am in the process of doing.  There is a security 
scoring program available from CIS (The Center for Internet Security) 
http://www.cisecurity.org. They have free tools available for many popular 
flavors of Unix.  It would be fairly easy to run the tool filter the 
output and send said data to Hobbit.  I plan on doing this at some point 
in the future. 

Regards,
Jim


-----------------------------------------
This message, and any attachments to it, may contain information
that is privileged, confidential, and exempt from disclosure under
applicable law.  If the reader of this message is not the intended
recipient, you are notified that any use, dissemination,
distribution, copying, or communication of this message is strictly
prohibited.  If you have received this message in error, please
notify the sender immediately by return e-mail and delete the
message and any attachments.  Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20070126/a4f58fee/attachment.html>


More information about the Xymon mailing list