|
|
|
|
|
|
by TheSwordsman
3778 days ago
|
|
|
Absolutely. We have an old blog post that goes over how we did it awhile ago: * https://www.pagerduty.com/blog/security-monitoring-alerting-... Most of this is still valid. There may be some differences as we've improved our configuration over time. We use OSSEC for host-level intrusion detection. This fired off quite a few alerts as the malicious party began to log in as root on the serial console, amongst other things. We also have supplemented it with other tools, such as an in-house wrapper around nmap, to alert us to hosts that don't match their expected network configuration. So when ports get opened incorrectly, someone is alerted usually within a minute. |
|
|