Search Exchange

Search All Sites

Nagios Live Webinars

Let our experts show you how Nagios can help your organization.

Contact Us

Phone: 1-888-NAGIOS-1
Email: sales@nagios.com

Login

Remember Me

Security Dashboard

Rating
0 votes
Favoured:
0
Compatible With
  • Nagios Log Server
Hits
11064
Files:
FileDescription
NMAP_Scans.jsonNMAP Scans Query
Security Dashboard-1417731761229Security Dashboard
Threat_Analysis.jsonThreat Analysis Query

Help Support Ethan Galstad's New Project:

Help Support Ethan

A Message From The Founder...

As the founder of Nagios, I'm asking for your help in a cause that's dear to my heart.

I'm launching a new project to help better the world by providing the information, ideas, and inspiration that I believe can improve the lives of people everywhere.

I know you're busy managing networks, but I would appreciate it if you would consider liking my Facebook page and showing your support for the content and messages I produce by sharing them with your friends and family.

You can learn more about my project by visiting ethangalstad.me/nagios. Thank you for your time. I wish you all the best in your endeavors, whatever they may be.

- Ethan

The security dashboard assumes /var/log/messages and /var/log/secure are being monitored. The associated query looks for things like "segfault" and "Failed password" and other things which may indicate an attack.

The second query looks for "Port scan detected" and relies on syslog messages sent from PSAD (Port Scan Automated Detection) running on a system. It analyzes iptables logs and alerts when a port scan is being run.

Taken together, these two queries and the dashboard can give a timeline of a potential attack taking place:

1.) Scans are run looking for open services ("Port scan detected")
2.) Common SSH logins are attempted ("Failed password")
3.) Failing that, the attacker finds a possibly-exploitable program and begins testing ("segfault")
4.) If the attacker gets in, he might create a user for himself or delete one ("new user")

Since /var/log/messages and /var/log/secure are present on nearly every Linux system, this dashboard (even without the PSAD query) can be used in many environments with little to no setup required.