Re: Howto monitor system security
On Mon, Mar 14, 2005 at 10:30:02AM +0100, h p wrote: [...] FreeBSD security email is rather anoying, because it keeps sending messages even if nothing has changed. I need an email sent to me only if there is something abnormal. What happens when someone breaks in and disables it from sending email? Think of it as a kind of heartbeat. Well, different minds work differently, but for me it adds vastly to the noise level. If everything is normal, I get a mail. If there is something wrong, I get a mail. A different one, for sure, but I have to actually read it to know. If I only get a mail in a special case, I am much more inclined to read it than if I get a mail every day for 300 days and on the 301st there is a mail with a warning. I've stopped paying attention long before that. Just my thoughts But what if that email never comes... Helge ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- I sense much NT in you. NT leads to Bluescreen. Bluescreen leads to downtime. Downtime leads to suffering. NT is the path to the darkside. Powerful Unix is. Public Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc Fingerprint: CEE1 AAE2 F66C 59B5 34CA C415 6D35 E847 0118 A3D2 pgpS93totEUcR.pgp Description: PGP signature
Re: Howto monitor system security
Sergei Gnezdov wrote: On 2005-03-14, Jerry Bell [EMAIL PROTECTED] wrote: There are many tools that will send alerts to you, but very few that will work out of the box, without some level of tuning. There is a collection of them here: http://www.syslog.org/Web_Links+index-req-viewlink-cid-4.phtml and here: http://www.syslog.org/Web_Links+index-req-viewlink-cid-19.phtml I see lots of log analizer tools. Which one is a good choice? /usr/ports/security/logcheck works for me fine. -- T.M.Suleymanov [EMAIL PROTECTED] crypto anarchy, encryption, digital money, anonymous networks, digital pseudonyms, zero knowledge, contrculture, information markets, black markets, collapse of governments. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Howto monitor system security
I've recently started using devialog (http://devialog.sourceforge.net/), which is pretty good at sending exceptions to you. Examlog (http://examlog.sourceforge.net/index.php) is by far the most popular that I've seen, but I have not had a chance to try it on FreeBSD. Lire (http://logreport.org/lire/) is a good all-around choice - it has built in recognition for many different types of logs, but I found it a bit hard to use. If you are comfortable with it, I'd try this one. I've heard of several companies that have part of the security monitoring built around logwatch (http://www2.logwatch.org:81/), but it takes a good amount of customizing to get it to where it's really useful. Jerry http://www.syslog.org On 2005-03-14, Jerry Bell [EMAIL PROTECTED] wrote: There are many tools that will send alerts to you, but very few that will work out of the box, without some level of tuning. There is a collection of them here: http://www.syslog.org/Web_Links+index-req-viewlink-cid-4.phtml and here: http://www.syslog.org/Web_Links+index-req-viewlink-cid-19.phtml I see lots of log analizer tools. Which one is a good choice? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Howto monitor system security
On 2005-03-14, Jerry Bell [EMAIL PROTECTED] wrote: There are many tools that will send alerts to you, but very few that will work out of the box, without some level of tuning. There is a collection of them here: http://www.syslog.org/Web_Links+index-req-viewlink-cid-4.phtml and here: http://www.syslog.org/Web_Links+index-req-viewlink-cid-19.phtml I see lots of log analizer tools. Which one is a good choice? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Howto monitor system security
[...] FreeBSD security email is rather anoying, because it keeps sending messages even if nothing has changed. I need an email sent to me only if there is something abnormal. What happens when someone breaks in and disables it from sending email? Think of it as a kind of heartbeat. Well, different minds work differently, but for me it adds vastly to the noise level. If everything is normal, I get a mail. If there is something wrong, I get a mail. A different one, for sure, but I have to actually read it to know. If I only get a mail in a special case, I am much more inclined to read it than if I get a mail every day for 300 days and on the 301st there is a mail with a warning. I've stopped paying attention long before that. Just my thoughts Helge ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Howto monitor system security
Sorry, it is a rather generic message, but the problem is a generic as well. I am running my FreeBSD machine on DMZ. I use ipfw and I expose http and smtp ports. I also expose sshd port, but only to a trusted network (work). I'd like to know what is the best way to monitor my machine security. FreeBSD security email is rather anoying, because it keeps sending messages even if nothing has changed. I need an email sent to me only if there is something abnormal. For example, I'd like to know if there is a significant change in network activity. My mailserver might be hijacked and is sending spam. I am running snort, but most of the time it simply reports MySQL warm attempts. Is there a log to see messages sent by sendmail? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Howto monitor system security
On Sun, Mar 13, 2005 at 09:58:41PM +, Sergei Gnezdov wrote: Sorry, it is a rather generic message, but the problem is a generic as well. I am running my FreeBSD machine on DMZ. I use ipfw and I expose http and smtp ports. I also expose sshd port, but only to a trusted network (work). I'd like to know what is the best way to monitor my machine security. FreeBSD security email is rather anoying, because it keeps sending messages even if nothing has changed. I need an email sent to me only if there is something abnormal. What happens when someone breaks in and disables it from sending email? Think of it as a kind of heartbeat. snip ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- I sense much NT in you. NT leads to Bluescreen. Bluescreen leads to downtime. Downtime leads to suffering. NT is the path to the darkside. Powerful Unix is. Public Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc Fingerprint: CEE1 AAE2 F66C 59B5 34CA C415 6D35 E847 0118 A3D2 pgpTe74KjYi1t.pgp Description: PGP signature
Re: Howto monitor system security
Sergei, As one of the other responses points out, it's possible that it would be too late by the time a monitoring system was able to send an email to you. One way to partly mitigate that risk is by having your logs forwarded to another system, and having the analysis run from that machine. You still run the risk of the attacker stopping the logs from being forwarded, but you will likely get *some* notice that something is wrong. There are many tools that will send alerts to you, but very few that will work out of the box, without some level of tuning. There is a collection of them here: http://www.syslog.org/Web_Links+index-req-viewlink-cid-4.phtml and here: http://www.syslog.org/Web_Links+index-req-viewlink-cid-19.phtml I am running my FreeBSD machine on DMZ. I use ipfw and I expose http and smtp ports. I also expose sshd port, but only to a trusted network (work). I'd like to know what is the best way to monitor my machine security. FreeBSD security email is rather anoying, because it keeps sending messages even if nothing has changed. I need an email sent to me only if there is something abnormal. If you have portaudit installed, the daily security emails will include a section on vulnerable ports (software, not network) installed. This is really helpful, as it's hard to keep up with the latest vulnerabilities in all the software that a given system has to run. I think there tends to be a lag between the announcement of the vulnerability and portaudit knowing about it, though. Staying subscribed to the security lists for those applications you run is still a good idea. Jerry http://www.syslog.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
