-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathTODO
95 lines (76 loc) · 3.42 KB
/
TODO
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
- after move to Ubuntu, the dashboard graph no longer runs from cron
(but runs manually without problems). The error is apparently from
libSDL:
- graph_series.sp: 252: 49: begin block in graph
pen.new_window_canvas(512, 512, 32, canvas );
^ an unexpected exception was raised
- my pal archive may have some files that appear suspicious
- need a way to easily change the sshd_port.
- currently must be set manually. reset firewall does not redo the
- default open rules. they are skipped if blocklist exists.
-http crashes
10/15 08:21:28:19376:http_blocker:INFO:http_blocker.sp:535: :110.229.217.69 caus
ed a HTTP threat event
10/15 08:21:28:19376:http_blocker:INFO:blocking.inc.sp:807: :110.229.217.69 ma
de a suspicious web request 'GET /ueditor/net/controller.ashx HTTP/1.1python-requests/2.24.0' w
ith '/ueditor'
10/15 08:21:28:19376:http_blocker:INFO:blocking.inc.sp:842: :110.229.217.69 ha
s grace
... no further output from http blocker, no fatal exceptions
DShield
https://isc.sans.edu/api/ip/70.91.145.10/handler?json
https://isc.sans.edu/api/sources/attacks/100/hander?json
100 = number to retrieve
70.91.145.10,,,,,,,,abuse@comcast.net,7922,COMCAST-7922 - Comcast Cable Communications, LLC,,US,66192817,70.88.0.0/14
- field 2 is number of attacks
- daemons
- "tail: ‘/var/log/secure’ has been replaced; following end of new file"
- ssh
- progress bar on sshd blocker sometimes has a phantom newline / erases
whatever message was there.
- mail
- SpamHaus support? https://www.spamhaus.org/sbl/
- myself is blocking for email access on:
Sep 19 15:44:13 pegasoft postfix/submission/smtpd[6130]: warning: hostname ppp101.static.dsl.ontario.net does not resolve to address 209.159.182.101: Name or service not known
- http
- statistic blocking on large accesses
- time-of-day matrix (i.e. list of hours) and application
- wash
- using IPSET_CMD command type instead of command name
- blocking
- create whitelist levels/reasons - i.e. customers, trusted machines
- create list of services/ports to block in firewall
- handling test data (not blocking, washing out (optionally?))
- admin
- paths mixed up after moving import/export to admin/ folder
- clearing out test data
- reporting
- email of event notifications
- daily status reports in log
- database tables, statistics gathering and daily status reports
- current status table
- attacks seen
- performance stats
- security patch metrics
- which patches, when, how recently, how many over time
- performance
- ping
- ping greatly slows the responsiveness...we need to defer it to the wash phase
- ping errors
- we need "placeholder ip's" as ping is not guaranteed to find the domain
name. Placeholder ip's can be checked later, but also cannot be blocked
since they are not real ip numbers. Probably already blocked anyway.
- AllowedUsers line
- testing
- unit tests
- additional testing with plain text logins disabled...does it still work?
- other
- if spar fails with an error, daemon script doesn't abort
-https://github.com/mushorg/glastopf honeypot
- use an event number instead of a ip number
- additional services
- virus scan on changed files
- network listener scan
- error log summaries
- scan for file changes / new directories
- dan notes SNMP interface, etc. must be considered