Re: Real Time monitoring/alerting utility..

Tue, 24 Aug 2004 21:43:55 -0700 


On Wed, 25 Aug 2004, Michael Bellears wrote:

> We have a client who is wanting real-time notifications of FTP/SSH
> connections to there WebServer - Could this be achieved with a
> TCPWrappers script for those two services? Or is there a utility
> available that can do this?
> 
> They will have a firewall sitting in front of the server, but would like
> a redundant notification system for these connections.

i'd say after 5 minutes of "real time notifications", they will
crawl back under the blue suit and stick to marketing/sales/projections
instead of webserver hardening :-)

        - depending on your "real time notification" criteria,
        your notificaitons can be 100% accurate that you have a problem
        or that its 99.99% false and wasting time and resources
        monitoring whatever its doing with those rules before notifying

        - can you distinguish between "attempts" vs "they are in your box"

        - can you distinguish "the local script kiddie" from the
        malicious enemy

in cron .. ( every minute or every hr or every day or every month ?? )
        grep sshd /var/log/messages ( or your fav files you monitor )


in the firewall ...
        set the iptables rules for ssh connections to www
        and create a "real time notification"

        have iptables execute:
  
        mail -s "intruder alert on $HOST" curious-person,baby-sitter < 
                "other supporting data"

donno about you, but after 1,000 or 5,000 attempts per hour, those
real-time notifications will become a more realistic criteria
instead of "any ftp/ssh" connections to the web server

        - repeated attempts from the same ip#
        - same attempts on other servers ( dns, web, mail, blah )

        - or "only if they actually start doing something else
        besides just scanning

- consider the 1,000 or 5,000 port scans ( ftp/sssh connections to www )
  a free audit of your web server
        - it tests the web server will support n-000 connection attempts 
        persecond

        - it tests that it's not susceptible to those ftp/ssh connections


- a serious flaw in your web server
-----------------------------------
        - you should allow ssh into your web server from your network

        - you should disallow ssh into your web server from outside
        and especially not from un-controllable home networks

c ya
alvin


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to