[hobbit] Security Monitoring
Henrik Stoerner
henrik at hswn.dk
Thu Jan 25 22:16:06 CET 2007
On Thu, Jan 25, 2007 at 02:07:05PM -0600, James Wade wrote:
> Is anyone doing any security monitoring with Hobbit?
>
> So, for example, monitoring to see if multiple login
> attempts are being made using different accounts,
> but all from the same IP address.
It's not part of Hobbit. I guess it would be fairly easy to do with the
client data, since it includes the "who" output. Writing a server-side
script which is fed all of the client data, and analyses the login data
would probably be fairly easy for someone with a bit of Perl experience.
(You'd run a command like
hobbitd_channel --channel=client myscript.pl
from hobbitlaunch.cfg. The "myscript.pl" program then gets all of the
client data, with each client message starting with "@@client#").
I use the "ports" status to check for unauthorized network services
running. Some of my co-admins weren't quite up to speed on what Hobbit
could do, so they got a bit of a scare when I phoned them and started
asking questions less than 5 minutes after they accidentally started an
SNMP daemon on one of my servers.
Regards,
Henrik
More information about the Xymon
mailing list