Security Monitoring

Virus protection software and firewalls provide protection, but it is also useful to monitor the number of network connections. For example, a denial of service of attack or a brute force ssh login attack will increase the number of open connections. This can happen if an attacker bypassed the virus protection or firewall.

Bronshae monitors the number of open TCP and UDP connections along with other network services. If the number of open connections are above a specified threshold, then a notification is generated. Someone receiving the notification can then investigate whether it is an attack or a misbehaving application. The threshold can be changed on a server by server basis to accomodate different levels of open connections. The graph below depicts a simulated attack where the number of active connections spiked to 800 tcp connections.

On Linux hosts, Bronshae monitors the logged in user. If an attacker had used a brute force password attack, the successful login will be displayed along with the time. This information can be queried from either the user interface or from the command line. In the example, below I have queried several servers to identify who is currently logged in. The "(unknown)" user is possibly some kind of issue on Debian Linux.

By using Bronshae, you can add another level of attack detection. Knowing when a system has been compromised or under attack helps to increase the infrastructure security.


More in this category: « Monitoring Internet Connectivity