Professional Web Applications Themes

Howto monitor system security - FreeBSD

Sorry, it is a rather generic message, but the problem is a generic as well. I am running my FreeBSD machine on DMZ. I use ipfw and I expose http and smtp ports. I also expose sshd port, but only to a trusted network (work). I'd like to know what is the best way to monitor my machine security. FreeBSD security email is rather anoying, because it keeps sending messages even if nothing has changed. I need an email sent to me only if there is something abnormal. For example, I'd like to know if there is a significant change ...

  1. #1

    Default Howto monitor system security

    Sorry, it is a rather generic message, but the problem is a generic as
    well.

    I am running my FreeBSD machine on DMZ. I use ipfw and I expose http
    and smtp ports. I also expose sshd port, but only to a trusted
    network (work). I'd like to know what is the best way to monitor my
    machine security.

    FreeBSD security email is rather anoying, because it keeps sending
    messages even if nothing has changed. I need an email sent to me only
    if there is something abnormal.

    For example, I'd like to know if there is a significant change in
    network activity. My mailserver might be hijacked and is sending
    spam.

    I am running snort, but most of the time it simply reports MySQL warm
    attempts.

    Is there a log to see messages sent by sendmail?

    Sergei Guest

  2. #2

    Default Re: Howto monitor system security

    On Sun, Mar 13, 2005 at 09:58:41PM +0000, Sergei Gnezdov wrote: 

    What happens when someone breaks in and disables it from sending email?

    Think of it as a kind of heartbeat.

    <snip>
     

    --
    I sense much NT in you.
    NT leads to Bluescreen.
    Bluescreen leads to downtime.
    Downtime leads to suffering.
    NT is the path to the darkside.
    Powerful Unix is.

    Public Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc
    Fingerprint: CEE1 AAE2 F66C 59B5 34CA C415 6D35 E847 0118 A3D2


    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.1 (GNU/Linux)

    iD8DBQFCNM2gbTXoRwEYo9IRApZvAJ422U2RHsgHDeK7ywTS9i 5rTRzVqgCeLPcb
    i+q28uT1NcCQzDp2h7AcApc=
    =rKKR
    -----END PGP SIGNATURE-----

    Loren Guest

  3. #3

    Default Re: Howto monitor system security

    Sergei,

    As one of the other responses points out, it's possible that it would be
    too late by the time a monitoring system was able to send an email to you.

    One way to partly mitigate that risk is by having your logs forwarded to
    another system, and having the ysis run from that machine. You still
    run the risk of the attacker stopping the logs from being forwarded, but
    you will likely get *some* notice that something is wrong.

    There are many tools that will send alerts to you, but very few that will
    work "out of the box", without some level of tuning. There is a
    collection of them here:
    http://www.syslog.org/Web_Links+index-req-viewlink-cid-4.phtml and here:
    http://www.syslog.org/Web_Links+index-req-viewlink-cid-19.phtml
     

    If you have portaudit installed, the daily security emails will include a
    section on vulnerable ports (software, not network) installed. This is
    really helpful, as it's hard to keep up with the latest vulnerabilities in
    all the software that a given system has to run. I think there tends to
    be a lag between the announcement of the vulnerability and portaudit
    knowing about it, though. Staying subscribed to the security lists for
    those applications you run is still a good idea.

    Jerry
    http://www.syslog.org

    Jerry Guest

  4. #4

    Default Re: Howto monitor system security

    [...] 
    >
    > What happens when someone breaks in and disables it from sending email?
    >
    > Think of it as a kind of heartbeat.[/ref]

    Well, different minds work differently, but for me it adds vastly to
    the noise level.
    If everything is normal, I get a mail. If there is something wrong, I
    get a mail. A different one, for sure, but I have to actually read it
    to know.
    If I only get a mail in a special case, I am much more inclined to
    read it than if I get a mail every day for 300 days and on the 301st
    there is a mail with a warning. I've stopped paying attention long
    before that.

    Just my thoughts....

    Helge
    h Guest

  5. #5

    Default Re: Howto monitor system security

    On 2005-03-14, Jerry Bell <com> wrote: 

    I see lots of log izer tools. Which one is a good choice?


    Sergei Guest

  6. #6

    Default Re: Howto monitor system security

    I've recently started using devialog (http://devialog.sourceforge.net/),
    which is pretty good at sending exceptions to you.

    Examlog (http://examlog.sourceforge.net/index.php) is by far the most
    popular that I've seen, but I have not had a chance to try it on FreeBSD.

    Lire (http://logreport.org/lire/) is a good all-around choice - it has
    built in recognition for many different types of logs, but I found it a
    bit hard to use. If you are comfortable with it, I'd try this one.

    I've heard of several companies that have part of the security monitoring
    built around logwatch (http://www2.logwatch.org:81/), but it takes a good
    amount of customizing to get it to where it's really useful.

    Jerry
    http://www.syslog.org

     
    >
    > I see lots of log izer tools. Which one is a good choice?
    >
    >
    > _______________________________________________
    > org mailing list
    > http://lists.freebsd.org/mailman/listinfo/freebsd-questions
    > To unsubscribe, send any mail to
    > "org"
    >[/ref]


    Jerry Guest

  7. #7

    Default Re: Howto monitor system security

    Sergei Gnezdov wrote:
     
    >
    >I see lots of log izer tools. Which one is a good choice?
    >
    >[/ref]
    /usr/ports/security/logcheck works for me fine.

    --
    T.M.Suleymanov
    az

    .............................................
    crypto anarchy, encryption, digital money,
    anonymous networks, digital pseudonyms, zero
    knowledge, contrculture, information markets,
    black markets, collapse of governments.

    Tofik Guest

Similar Threads

  1. Monitor System Resources
    By arniebld in forum Macromedia ColdFusion
    Replies: 1
    Last Post: March 18th, 07:37 PM
  2. Needed: System Monitor App
    By Jeff Sheffel in forum Linux / Unix Administration
    Replies: 3
    Last Post: August 11th, 08:42 PM
  3. Setting the threshold of the system monitor?
    By eotrue in forum Windows Server
    Replies: 1
    Last Post: June 30th, 01:22 PM
  4. Replies: 3
    Last Post: July 18th, 04:44 PM
  5. Replies: 0
    Last Post: June 26th, 10:05 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139