Hello, After a long delay I'm happy to announce the alpha release of a new security tool called HostSentry. HostSentry is part of the Abacus Project suite of security tools and is designed to function as a Login Anomaly Detector. The tool is in early alpha phase and while some parts may be buggy or incomplete, it is stable enough that it shouldn't cause any harm to a host. A few points about the tool: 1) Please read all the docs. 2) Some signature modules are not fully implemented. 3) Automated response actions are not implemented yet. 4) It has only been tested under RedHat 5.2 and OpenBSD. Early alpha testers have also run it under Slackware and it should work on most Unix systems (I hope). 5) There are some limitations for *BSD variants. Read the docs (and README.wtmp) for details. 6) The tool is written in 100% Python and you'll want to have the latest version (http://www.python.org). 7) It's free, but please read the license. You can get the tool from: http://www.psionic.com/abacus/hostsentry You can read about the other tools here: http://www.psionic.com/abacus You can subscribe to the mailing list by sending a subscribe message to: abacus-request@psionic.com abacus-announce-request@psionic.com What the tool actually does: HostSentry monitors system login accounting records in real-time (wtmp/utmp). These records are used to build a dynamic database of active users and run a series of signature modules during the login and logout phases. The signature modules are pluggable and easily activated or deactivated by the admin. An example wrapper is included to allow administrators to add new signatures. The current list of signatures includes: moduleLoginLogout - Generic audit trail of all user login and logouts. moduleFirstLogin - Alerts administrators if this user is logging in for the first time. moduleForeignDomain - A login was detected from a domain not listed in the allowed domains file. moduleRhostCheck - A user's .rhosts file contains a wildcard or other dangerous modification. moduleHistoryTruncated - A user's .history file is missing, truncated to zero bytes, or symlinked (i.e. /dev/null) moduleOddDirnames - A user's directory contains suspicious directory names on logout (" ..", "...", etc.) moduleMultipleLogins - A single username has multiple concurrent logins from different domains. moduleOddLoginTime - A user is logging in at an odd hour for their usage pattern (not implemented yet). moduleInvalidUtmp - A corresponding utmp/wtmp entry for this login cannot be found (entry possibly removed) (not implemented yet). moduleHistorySuspicious - The user's history file contains suspicious commands (not implemented yet). moduleNetworkDaemon - The user logged out but left a listening network socket operating (private web server, IRC bot, etc.) (not implemented yet). moduleFileExists - A file was found in the user's directory that is listed in the banned/monitored list of the site (not implemented yet). Other modules to be determined as I find time to implement them. The modules that are not implemented yet will be done shortly once I start getting more people testing and can work out the major bugs. I don't want to make this too long, so if you have any more questions please look at the webpage and read the docs. Any comments on the tool are welcome. Thank you, -- Craig http://www.psionic.com