[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [hobbit] Security Monitoring

To: hobbit (at) hswn.dk
Subject: Re: [hobbit] Security Monitoring
From: henrik (at) hswn.dk (Henrik Stoerner)
Date: Thu, 25 Jan 2007 22:16:06 +0100
References: <0c3b01c740bc$6617bed0$6b2fb8a5@txaccess.net>
User-agent: Mutt/1.5.12-2006-07-14

On Thu, Jan 25, 2007 at 02:07:05PM -0600, James Wade wrote:
> Is anyone doing any security monitoring with Hobbit?
> 
> So, for example, monitoring to see if multiple login
> attempts are being made using different accounts,
> but all from the same IP address.

It's not part of Hobbit. I guess it would be fairly easy to do with the
client data, since it includes the "who" output. Writing a server-side 
script which is fed all of the client data, and analyses the login data
would probably be fairly easy for someone with a bit of Perl experience.

(You'd run a command like 
    hobbitd_channel --channel=client myscript.pl
 from hobbitlaunch.cfg. The "myscript.pl" program then gets all of the
 client data, with each client message starting with "@@client#").

I use the "ports" status to check for unauthorized network services 
running. Some of my co-admins weren't quite up to speed on what Hobbit
could do, so they got a bit of a scare when I phoned them and started
asking questions less than 5 minutes after they accidentally started an
SNMP daemon on one of my servers.

Regards,
Henrik

References:
- Security Monitoring
  - From: James Wade

Prev by Date: Re: [hobbit] non-green view
Next by Date: Re: [hobbit] latset and greatest
Previous by thread: Security Monitoring
Next by thread: Re: Security Monitoring
Index(es):
- Date
- Thread