store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Wed Jul 30, 2014 11:09 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 3 posts ] 
Author Message
 Post subject: qmail queue warnings / high priority ossec alerts
Unread postPosted: Thu Dec 09, 2010 9:13 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2024
One of our hosting customers set up a "tell a friend" form on their website, complete with "add a message here" box on the form.

Unsurprisingly a spammer found it, and sent a good 64,000+ messages before I noticed (a good proportion still in the outgoing queue, thankfully - I was able to delete them thanks to qmHandle)

I've been away all day otherwise I'd have noticed sooner. It only came to my notice thanks to an AOL feedback loop alert.

Here's the thing: I've not looked at the ossec rules, but I don't think there's one that says "if there's more than X messages in the qmail outgoing queue, sent an alert level 12" or whatever, is there? If not, please can this be added, if possible in some way?

Even if there is a way to do this, the only way I've found to make sure I see all the important alerts and hide (but not disable) the less important ones is to configure a filter in Gmail that labels (and effectively hides) alerts less than level 8, which means I can easily see the ones 8 and higher. This is a bit of a cludge though.

Has anyone found a better way to acheive this? I know you can surpress rules under X but I don't want to do that -- I still want level 7 alerts sent by email, for example. I just don't want them cluttering up my main inbox as I get one from each server every hour.

Faris.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
 
 Post subject: Re: qmail queue warnings / high priority ossec alerts
Unread postPosted: Fri Dec 10, 2010 4:05 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Sat Aug 20, 2005 9:30 am
Posts: 2812
Location: The Netherlands
faris wrote:
Here's the thing: I've not looked at the ossec rules, but I don't think there's one that says "if there's more than X messages in the qmail outgoing queue, sent an alert level 12" or whatever, is there? If not, please can this be added, if possible in some way?


We added a check to our monitoring (we use Zenoss) which checks the number of messages in the queue and alerts above a certain threshold. There's a ton of things you might want to monitor, but I'm not sure if all monitoring checks should be handled by a security tool like OSSEC.

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
 
 Post subject: Re: qmail queue warnings / high priority ossec alerts
Unread postPosted: Fri Dec 10, 2010 9:10 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2024
Very true.

The thing is that we already have a tool to do this, but it also checks to see if qmail is running and restarts it if not, and that gets in the way of psmon. Sure I could change psmon's config, but then it gets overwritten every now and then :-)

We did look into a really seriously cool monitoring product from serverdensity.com that had an Android app option as a front-end, but the monitoring agents needs Python 2.4 than you get with RH4 and having the two running side-by side looked seriously scary and prone to problems.

Also no qmail monitoring by default :-)

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group