HPE GreenLake Administration
- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- basic ideas for monitoring security
Operating System - HP-UX
1838120
Members
4039
Online
110124
Solutions
Forums
Categories
Company
Local Language
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Go to solution
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-24-2001 06:09 AM
07-24-2001 06:09 AM
I'm thinking of writing a shell script to monitor basic security issues which will fire off an email if it thinks something needs checking. Basically I'm looking for any suggestions on things to check ? My quick ideas so far are :
1. Check logins for unusual times
2. Warn if user (root etc) has more than 3 failed logins over a certain period
3. Check ftp connections, warn if not from known sources (IP address perhaps)
That's about as far as I've got so far. The system is not 'trusted' and should be fairly secure from the general internet so my main intention is to check for casual internal access attempts or unusual conditions.
Any suggestions will, as always, be rewarding with points.
Thanks in advance,
Mike
1. Check logins for unusual times
2. Warn if user (root etc) has more than 3 failed logins over a certain period
3. Check ftp connections, warn if not from known sources (IP address perhaps)
That's about as far as I've got so far. The system is not 'trusted' and should be fairly secure from the general internet so my main intention is to check for casual internal access attempts or unusual conditions.
Any suggestions will, as always, be rewarding with points.
Thanks in advance,
Mike
Solved! Go to Solution.
6 REPLIES 6
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-24-2001 06:17 AM
07-24-2001 06:17 AM
Solution
Hi, couple of things. Check and see if an account has been created with UID 0. Do a checksum to make sure no one has added any additional SUIG/SGID scripts. Turn on FTP logging to see what people are transferring. Hope this helps.
Rob
Rob
Learn the rules so you can break them properly.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-24-2001 06:19 AM
07-24-2001 06:19 AM
Re: basic ideas for monitoring security
You should look at IDS/9000 from HP .
This system can be downloaded for free from software.hp.com
With IDS/9000 you can monitor all aspects of system security even on non-trusted systems.
I installed it on a couple of servers and it works fine.
He's a real UNIX Man, sitting in his UNIX LAN making all his UNIX plans for nobody ...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-25-2001 12:07 AM
07-25-2001 12:07 AM
Re: basic ideas for monitoring security
Thanks for the replies so far, forgot to mention version is 10.20.
Mike
Mike
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-25-2001 12:33 AM
07-25-2001 12:33 AM
Re: basic ideas for monitoring security
In terms of software patches from the internet & security area of software.hp.com
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProducts.pl?group_type=category&group_name=ISS
You can download a tool that'll analyse your patch levels.
You can also d/l as was mentioned before, ids
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=J5083AA
on trial.
Other than that, close off most services, make sure your disk arrays config area passwords are all set, as well as your switches/hubs etc..
Get tripwire/satan to analyse your system. Make sure file sizes of /usr/sbin commands and /sbin commands stay the same. Watch out for symbolic links and world readable files and suid programs.
Later,
Bill
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProducts.pl?group_type=category&group_name=ISS
You can download a tool that'll analyse your patch levels.
You can also d/l as was mentioned before, ids
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=J5083AA
on trial.
Other than that, close off most services, make sure your disk arrays config area passwords are all set, as well as your switches/hubs etc..
Get tripwire/satan to analyse your system. Make sure file sizes of /usr/sbin commands and /sbin commands stay the same. Watch out for symbolic links and world readable files and suid programs.
Later,
Bill
It works for me (tm)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-25-2001 01:59 AM
07-25-2001 01:59 AM
Re: basic ideas for monitoring security
You should check if /dev/console has an active shell and whether root is allowed to access from somewhere other than that.
Hard to script but is the key in the door!
Is BCH password protected to stop hpux -is
(probably through mstm)
Later,
Bill
Hard to script but is the key in the door!
Is BCH password protected to stop hpux -is
(probably through mstm)
Later,
Bill
It works for me (tm)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-29-2001 09:23 PM
07-29-2001 09:23 PM
Re: basic ideas for monitoring security
There are a number of things I checked for in my first monitor script. Su's, bad loging attempts (btmp), SUID's on files, any access to the /etc/passwd (copy's etc.) I reciently threw out my script and went to IDS/9000. It has all those featurs plus more. It can check for race conditions, buffer overflow's, and a number of other things that would be a burden to code. Since it's realtime, I chucked my tripwire also. I've got to say, other than the dependancy on java 1.18 I love the product. It's in it's infancy stage, and has blown away everything out already. The combination of this and SSH, the security_patch_check tool, and a few other things you can make a pretty hard box. Check the Txt on Building a Bastion Host Using HP-UX 11.x. You can find a lot of really usefull things in there.
Good luck
Brian.
Good luck
Brian.
When a sys-admin say's maybe, they don't mean 'yes'!
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
Company
Events and news
Customer resources
© Copyright 2025 Hewlett Packard Enterprise Development LP