Re: Real Time monitoring/alerting utility..

To: Michael Bellears <MBellears@staff.datafx.com.au>
Cc: debian-user@lists.debian.org
Subject: Re: Real Time monitoring/alerting utility..
From: Alvin Oga <aoga@ns.Linux-Consulting.com>
Date: Tue, 24 Aug 2004 21:43:25 -0700 (PDT)
Message-id: <[🔎] Pine.LNX.3.96.1040824213140.16752A-100000@Maggie.Linux-Consulting.com>
In-reply-to: <[🔎] 7B5E506659A5D344A505F0F27972D87549D175@datafx-sbs.DataFX.local>


On Wed, 25 Aug 2004, Michael Bellears wrote:

> We have a client who is wanting real-time notifications of FTP/SSH
> connections to there WebServer - Could this be achieved with a
> TCPWrappers script for those two services? Or is there a utility
> available that can do this?
> 
> They will have a firewall sitting in front of the server, but would like
> a redundant notification system for these connections.

i'd say after 5 minutes of "real time notifications", they will
crawl back under the blue suit and stick to marketing/sales/projections
instead of webserver hardening :-)

	- depending on your "real time notification" criteria,
	your notificaitons can be 100% accurate that you have a problem
	or that its 99.99% false and wasting time and resources
	monitoring whatever its doing with those rules before notifying

	- can you distinguish between "attempts" vs "they are in your box"

	- can you distinguish "the local script kiddie" from the
	malicious enemy

in cron .. ( every minute or every hr or every day or every month ?? )
	grep sshd /var/log/messages ( or your fav files you monitor )


in the firewall ...
	set the iptables rules for ssh connections to www
	and create a "real time notification"

	have iptables execute:
  
	mail -s "intruder alert on $HOST" curious-person,baby-sitter < 
		"other supporting data"

donno about you, but after 1,000 or 5,000 attempts per hour, those
real-time notifications will become a more realistic criteria
instead of "any ftp/ssh" connections to the web server

	- repeated attempts from the same ip#
	- same attempts on other servers ( dns, web, mail, blah )

	- or "only if they actually start doing something else
	besides just scanning

- consider the 1,000 or 5,000 port scans ( ftp/sssh connections to www )
  a free audit of your web server
	- it tests the web server will support n-000 connection attempts 
	persecond

	- it tests that it's not susceptible to those ftp/ssh connections


- a serious flaw in your web server
-----------------------------------
	- you should allow ssh into your web server from your network

	- you should disallow ssh into your web server from outside
	and especially not from un-controllable home networks

c ya
alvin

Reply to:

Follow-Ups:
- Re: Real Time monitoring/alerting utility..
  - From: allanwind@lifeintegrity.com (Allan Wind)

References:
- Real Time monitoring/alerting utility..
  - From: "Michael Bellears" <MBellears@staff.datafx.com.au>

Prev by Date: Re: Debian equivalent of /etc/profile.d
Next by Date: Re: Real Time monitoring/alerting utility..
Previous by thread: Real Time monitoring/alerting utility..
Next by thread: Re: Real Time monitoring/alerting utility..
Index(es):
- Date
- Thread