Howto monitor system security
jbell at stelesys.com
Sun Mar 13 20:04:08 PST 2005
As one of the other responses points out, it's possible that it would be
too late by the time a monitoring system was able to send an email to you.
One way to partly mitigate that risk is by having your logs forwarded to
another system, and having the analysis run from that machine. You still
run the risk of the attacker stopping the logs from being forwarded, but
you will likely get *some* notice that something is wrong.
There are many tools that will send alerts to you, but very few that will
work "out of the box", without some level of tuning. There is a
collection of them here:
http://www.syslog.org/Web_Links+index-req-viewlink-cid-4.phtml and here:
> I am running my FreeBSD machine on DMZ. I use ipfw and I expose http
> and smtp ports. I also expose sshd port, but only to a trusted
> network (work). I'd like to know what is the best way to monitor my
> machine security.
> FreeBSD security email is rather anoying, because it keeps sending
> messages even if nothing has changed. I need an email sent to me only
> if there is something abnormal.
If you have portaudit installed, the daily security emails will include a
section on vulnerable ports (software, not network) installed. This is
really helpful, as it's hard to keep up with the latest vulnerabilities in
all the software that a given system has to run. I think there tends to
be a lag between the announcement of the vulnerability and portaudit
knowing about it, though. Staying subscribed to the security lists for
those applications you run is still a good idea.
More information about the freebsd-questions