blob: 91d206755906caa062c5f2554ccd59380d58d13c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
# A Server Security Monitor
- logs all successful ssh log ins, repeated failed attempts, attempts at root,
- watches and logs access to sensitve paths
## Implementation
- an sshd monitor daemon: for any login attempt, log it to DB. categorize as KNOWN (me or other known user, by previously connected ip or local ip), UNIMPORTANT (just another random bot bruteforce attempt), NOTE (someone logged in as a user from a new ip), WARNING (someone logged in as root from an unknown ip)
- user access monitor daemon: logs any time an already logged in user logs in as root
- ddos monitor daemon: watches for too-frequently repeated network requests
- sensitive data defender: watches for unusual access to sensitive paths (defined in config)
## Database Schema
-
## Service Config
- known ips : ssh from these ips is expected
- admin users : users who are allowed to log in to root
- sensitive paths : list of filepaths that are considered sensitive, and the users who are allowed to access them
-
|
