Console Monitor Cookbook
From PortSensor Wiki
Contents |
Internal Commands
Internal commands access functionality provided by the Console Monitor. They don't require any dependencies at the console.
#PORT
The #PORT command checks if a port on a particular host is accepting connections. The metric will return UP or DOWN as a string.
<sensor> <name>HTTP</name> <command>#PORT localhost 80</command> <type>text</type> <critical oper="eq" value="DOWN">Critical</critical> </sensor>
Console Commands
Any <command> that doesn't match an Internal Command will be treated as a Console Command and run in the shell. Unix-based servers provide many more console-based tools than Windows servers do, but you can always create or install new command-line tools to provide more information.
Quick Examples
Load cat /proc/loadavg | awk '{print $1}'
Last Logins last | head -n 5
Disk Space df | grep /dev/sda5 | awk '{print $5}'
Processes ps -eo "%C%% %c" --no-headers | sort -r -n | head -n 5
DNS #PORT server.hostname.com 53
MySQL #PORT server.hostname.com 3306
POP3 #PORT server.hostname.com 110
SMTP #PORT server.hostname.com 25
SSH #PORT server.hostname.com 22
HTTP #PORT server.hostname.com 80
HTTP-SSL #PORT server.hostname.com 443
Qmail /var/qmail/bin/qmail-qstat | head -n 1 | awk '{print $4}'
Security
Detecting SSH Brute Force Attempts (Linux/BSD)
- First you need to set up a copy of your authpriv log which the portsensor user has access to.
mkdir ~portsensor/log/ vi /etc/syslog.conf
- Add the line:
authpriv.* /home/portsensor/log/secure
- Restart syslogd (varies by platform)
/etc/rc.d/init.d/syslog restart
<sensor> <name>Brute Force</name> <command>tail -n 10000 ~portsensor/log/secure | grep ".* sshd.*: Failed password for .*" | wc -l | tr -d "\r\n"</command> <type>number</type> <warning oper="gt" value="100">Possible Brute Force Attack</warning> </sensor>
