From owner-freebsd-questions@FreeBSD.ORG Mon Mar 14 04:04:08 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4264C16A4CE for ; Mon, 14 Mar 2005 04:04:08 +0000 (GMT) Received: from stelesys.com (web1.stelesys.com [63.175.100.39]) by mx1.FreeBSD.org (Postfix) with ESMTP id DC55943D5D for ; Mon, 14 Mar 2005 04:04:07 +0000 (GMT) (envelope-from jbell@stelesys.com) Received: from [127.0.0.1] (helo=www.stelesys.com) by stelesys.com with esmtpa (Exim 4.44 (FreeBSD)) id 1DAgoJ-000MAu-1a; Sun, 13 Mar 2005 23:04:07 -0500 Received: from 24.98.86.57 (SquirrelMail authenticated user jbell@stelesys.com); by www.stelesys.com with HTTP; Sun, 13 Mar 2005 23:04:07 -0500 (EST) Message-ID: <4557.24.98.86.57.1110773047.squirrel@24.98.86.57> In-Reply-To: References: Date: Sun, 13 Mar 2005 23:04:07 -0500 (EST) From: "Jerry Bell" To: sgnezdov@sergei.homeunix.org User-Agent: SquirrelMail/1.4.3a X-Mailer: SquirrelMail/1.4.3a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal cc: freebsd-questions@freebsd.org Subject: Re: Howto monitor system security X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Mar 2005 04:04:08 -0000 Sergei, As one of the other responses points out, it's possible that it would be too late by the time a monitoring system was able to send an email to you. One way to partly mitigate that risk is by having your logs forwarded to another system, and having the analysis run from that machine. You still run the risk of the attacker stopping the logs from being forwarded, but you will likely get *some* notice that something is wrong. There are many tools that will send alerts to you, but very few that will work "out of the box", without some level of tuning. There is a collection of them here: http://www.syslog.org/Web_Links+index-req-viewlink-cid-4.phtml and here: http://www.syslog.org/Web_Links+index-req-viewlink-cid-19.phtml > I am running my FreeBSD machine on DMZ. I use ipfw and I expose http > and smtp ports. I also expose sshd port, but only to a trusted > network (work). I'd like to know what is the best way to monitor my > machine security. > > FreeBSD security email is rather anoying, because it keeps sending > messages even if nothing has changed. I need an email sent to me only > if there is something abnormal. > If you have portaudit installed, the daily security emails will include a section on vulnerable ports (software, not network) installed. This is really helpful, as it's hard to keep up with the latest vulnerabilities in all the software that a given system has to run. I think there tends to be a lag between the announcement of the vulnerability and portaudit knowing about it, though. Staying subscribed to the security lists for those applications you run is still a good idea. Jerry http://www.syslog.org