[Xymon] Tracking foreign ssh connections with PORT
Alessandro Tinivelli
Alessandro.Tinivelli at faacgroup.com
Tue Jan 3 11:15:31 CET 2017
Hi all, I was trying to setup an alert when a server has established SSH connections with a "foreign" remote IP (i.e. not beginning with 192.168).
It seem to be working so I'm posting, it maybe it's useful for someone.
Any comment or correction will be appreciated.
P.S.: change host name and the regex accordingly with your ip addressing
HOST=host01
PORT "LOCAL=%([.:]22)$" "REMOTE=%^(?!(192\.168)).+" state=ESTABLISHED MAX=0 COLOR=red TRACK=SSH_fconn "TEXT=SSH foreign connections"
P.P.S.: very useful site for composing regexp https://regex101.com/ :)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20170103/1e375e75/attachment.html>
More information about the Xymon
mailing list