Date: Sun, 13 Mar 2005 23:04:07 -0500 (EST) From: "Jerry Bell" <jbell@stelesys.com> To: sgnezdov@sergei.homeunix.org Cc: freebsd-questions@freebsd.org Subject: Re: Howto monitor system security Message-ID: <4557.24.98.86.57.1110773047.squirrel@24.98.86.57> In-Reply-To: <slrnd39e2s.1gru.use-reply-to@sergei.homeunix.org> References: <slrnd39e2s.1gru.use-reply-to@sergei.homeunix.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Sergei, As one of the other responses points out, it's possible that it would be too late by the time a monitoring system was able to send an email to you. One way to partly mitigate that risk is by having your logs forwarded to another system, and having the analysis run from that machine. You still run the risk of the attacker stopping the logs from being forwarded, but you will likely get *some* notice that something is wrong. There are many tools that will send alerts to you, but very few that will work "out of the box", without some level of tuning. There is a collection of them here: http://www.syslog.org/Web_Links+index-req-viewlink-cid-4.phtml and here: http://www.syslog.org/Web_Links+index-req-viewlink-cid-19.phtml > I am running my FreeBSD machine on DMZ. I use ipfw and I expose http > and smtp ports. I also expose sshd port, but only to a trusted > network (work). I'd like to know what is the best way to monitor my > machine security. > > FreeBSD security email is rather anoying, because it keeps sending > messages even if nothing has changed. I need an email sent to me only > if there is something abnormal. > If you have portaudit installed, the daily security emails will include a section on vulnerable ports (software, not network) installed. This is really helpful, as it's hard to keep up with the latest vulnerabilities in all the software that a given system has to run. I think there tends to be a lag between the announcement of the vulnerability and portaudit knowing about it, though. Staying subscribed to the security lists for those applications you run is still a good idea. Jerry http://www.syslog.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4557.24.98.86.57.1110773047.squirrel>