<br><font size=2><tt>> ----- Message from "James Wade" <jkwade@futurefrontiers.com>
on Thu,<br>
> 25 Jan 2007 14:07:05 -0600 -----</tt></font>
<br><font size=2><tt>> <br>
> To:</tt></font>
<br><font size=2><tt>> <br>
> <hobbit@hswn.dk></tt></font>
<br><font size=2><tt>> <br>
> Subject:</tt></font>
<br><font size=2><tt>> <br>
> Security Monitoring</tt></font>
<br><font size=2><tt>> <br>
> Is anyone doing any security monitoring</tt></font>
<br><font size=2><tt>> with Hobbit?</tt></font>
<br><font size=2><tt>> </tt></font>
<br><font size=2><tt>> So, for example, monitoring to see if multiple
login</tt></font>
<br><font size=2><tt>> attempts are being made using different accounts,</tt></font>
<br><font size=2><tt>> but all from the same IP address.</tt></font>
<br><font size=2><tt>> </tt></font>
<br><font size=2><tt>> Thanks….James</tt></font>
<br><font size=2><tt>> </tt></font>
<br><font size=2><tt>> </tt></font>
<br><font size=2><tt>> <br>
> ----- Message from henrik@hswn.dk (Henrik Stoerner) on Thu, 25 Jan
<br>
> 2007 22:16:06 +0100 -----</tt></font>
<br><font size=2><tt>> <br>
> To:</tt></font>
<br><font size=2><tt>> <br>
> hobbit@hswn.dk</tt></font>
<br><font size=2><tt>> <br>
> Subject:</tt></font>
<br><font size=2><tt>> <br>
> Re: [hobbit] Security Monitoring</tt></font>
<br><font size=2><tt>> <br>
> On Thu, Jan 25, 2007 at 02:07:05PM -0600, James Wade wrote:<br>
> > Is anyone doing any security monitoring with Hobbit?<br>
> > <br>
> > So, for example, monitoring to see if multiple login<br>
> > attempts are being made using different accounts,<br>
> > but all from the same IP address.<br>
> <br>
> It's not part of Hobbit. I guess it would be fairly easy to do with
the<br>
> client data, since it includes the "who" output. Writing
a server-side <br>
> script which is fed all of the client data, and analyses the login
data<br>
> would probably be fairly easy for someone with a bit of Perl experience.<br>
> <br>
> (You'd run a command like <br>
> hobbitd_channel --channel=client myscript.pl<br>
> from hobbitlaunch.cfg. The "myscript.pl" program then
gets all of the<br>
> client data, with each client message starting with "@@client#").<br>
> <br>
> I use the "ports" status to check for unauthorized network
services <br>
> running. Some of my co-admins weren't quite up to speed on what Hobbit<br>
> could do, so they got a bit of a scare when I phoned them and started<br>
> asking questions less than 5 minutes after they accidentally started
an<br>
> SNMP daemon on one of my servers.<br>
> <br>
> <br>
> Regards,<br>
> Henrik<br>
> </tt></font>
<br>
<br><font size=2><tt>James:</tt></font>
<br>
<br><font size=2><tt>Here is something I am in the process of doing. There
is a security scoring program available from CIS (The Center for Internet
Security) http://www.cisecurity.org. They have free tools available for
many popular flavors of Unix. It would be fairly easy to run the
tool filter the output and send said data to Hobbit. I plan on doing
this at some point in the future. </tt></font>
<br>
<br><font size=2><tt>Regards,</tt></font>
<br><font size=2><tt>Jim</tt></font>
<P><hr size=1></P><br>
<P><STRONG><br>
This message, and any attachments to it, may contain information<br>
that is privileged, confidential, and exempt from disclosure under<br>
applicable law. If the reader of this message is not the intended<br>
recipient, you are notified that any use, dissemination,<br>
distribution, copying, or communication of this message is strictly<br>
prohibited. If you have received this message in error, please<br>
notify the sender immediately by return e-mail and delete the<br>
message and any attachments. Thank you.<br>
</STRONG></P>