[ale] What's this guy doing?

UnderGrid Founder undrgrid at undergrid.net
Mon Apr 12 22:21:26 EDT 1999


--uAKRQypu60I7Lcqm
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

Nick Lucent decided to waste my bandwidth saying:
> On Mon, 12 Apr 1999, Glenn R. Stone wrote:
>=20
> kind of related in an offtopic sort of way, I found a pretty spiffy
> program that scans your logs for odd activity then mails you the results.
> If any of you want to check it out you can get it from www.psionic.com.
> But be forewarned that it can be a bit of a pain by default because it
> mails you all kinds of crap  that you dont care about (pppd dialing etc)
> so you will probably want to tweak it a bit.
>=20
	I believe you are talkin about Logcheck by Craig Rowland as part of
the Abacus Project suite. I can speak from experience and say that yes by
default it will email you a lot unless you tweak the exceptions that it loo=
ks
for. This in itself is not good for monitoring your system; however used wi=
th
PortSentry it can take action as well as notify you of intrusion attempts s=
uch
as port scans. Craig's latest project is HostSentry which I've beta test'd.=
=20
HostSentry actually monitors the logins to the machine, prolly best if I ju=
st
quote his documentation:

Introduction
=3D-=3D-=3D-=3D-=3D-=3D-

HostSentry is a host based intrusion detection tool that operates on the
principle of Login Anomaly Detection (LAD), or what I sometimes call login
cross-correlation.

What HostSentry does.
=3D-=3D-=3D-=3D-=3D-=3D-=3D--=3D-=3D-=3D-

HostSentry will react to login/logout activity and process them with any
number of login or logout modules. These modules are written
to detect a problem and report it. When a problem is found HostSentry will
either:

a) Log the event.
b) Disable the user account. (NOT IMPLEMENTED YET)
c) Drop the route to the offending host. (NOT IMPLEMENTED YET)
d) Block the IP of the offending host. (NOT IMPLEMENTED YET)
e) Log the user off the host. (NOT IMPLEMENTED YET)
f) All of the above. (NOT IMPLEMENTED YET)

	HostSentry is still considered Alpha at this time which is why several
features are not implimented at this time but it looks to be very good if y=
ou
have an open system that allows logins. For me it doesn't do much good as t=
he
number of people who should be able to access my system can be counted on o=
ne
hand.

	Respectfully,
	Jeremy T. Bouse

--=20
,--------------------------------------------------------------------------=
---,
| Jeremy T. Bouse  -  UnderGrid Network Services, LLC  -   www.UnderGrid.ne=
t  |
|     PGP ID/Fingerprint: 1024/E83D9AE5/4ACC03F098D78198 19D0593E50E597E9  =
   |
|         Public PGP key available via 'finger undrgrid at UnderGrid.net'     =
   |
| Jeremy.Bouse at UnderGrid.net  -  NIC Whois: JB5713  -  undrgrid at UnderGrid.n=
et |
|      promotion, n.: New title, new salary, new office, same old crap.    =
   |
`--------------------------------------------------------------------------=
---'

--uAKRQypu60I7Lcqm
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a

iQCVAwUBNxKqI+ak13roPZrlAQHBvQQAp4ALRleFzv1ajpTHZuuu5wG5zr0xQ1ru
B9BuLuy02bjsk9ZgPJJWXCSQPzm7+EXJMG9VhRdHvg5xAzylEQHN8Z2bRsi17V22
b5rOmgpba+xKbd4ITolOKM6FoVOafAVOywacuDDiTcZxTw8B7vjK6lDtF6DBMR+q
dEhA4J2FNIQ=
=1OEb
-----END PGP SIGNATURE-----

--uAKRQypu60I7Lcqm--






More information about the Ale mailing list