Re: Real Time monitoring/alerting utility..
On Wed, 25 Aug 2004, Michael Bellears wrote:
> We have a client who is wanting real-time notifications of FTP/SSH
> connections to there WebServer - Could this be achieved with a
> TCPWrappers script for those two services? Or is there a utility
> available that can do this?
>
> They will have a firewall sitting in front of the server, but would like
> a redundant notification system for these connections.
i'd say after 5 minutes of "real time notifications", they will
crawl back under the blue suit and stick to marketing/sales/projections
instead of webserver hardening :-)
- depending on your "real time notification" criteria,
your notificaitons can be 100% accurate that you have a problem
or that its 99.99% false and wasting time and resources
monitoring whatever its doing with those rules before notifying
- can you distinguish between "attempts" vs "they are in your box"
- can you distinguish "the local script kiddie" from the
malicious enemy
in cron .. ( every minute or every hr or every day or every month ?? )
grep sshd /var/log/messages ( or your fav files you monitor )
in the firewall ...
set the iptables rules for ssh connections to www
and create a "real time notification"
have iptables execute:
mail -s "intruder alert on $HOST" curious-person,baby-sitter <
"other supporting data"
donno about you, but after 1,000 or 5,000 attempts per hour, those
real-time notifications will become a more realistic criteria
instead of "any ftp/ssh" connections to the web server
- repeated attempts from the same ip#
- same attempts on other servers ( dns, web, mail, blah )
- or "only if they actually start doing something else
besides just scanning
- consider the 1,000 or 5,000 port scans ( ftp/sssh connections to www )
a free audit of your web server
- it tests the web server will support n-000 connection attempts
persecond
- it tests that it's not susceptible to those ftp/ssh connections
- a serious flaw in your web server
-----------------------------------
- you should allow ssh into your web server from your network
- you should disallow ssh into your web server from outside
and especially not from un-controllable home networks
c ya
alvin
Reply to: