After a long delay I'm happy to announce the alpha release of a new
security tool called HostSentry. HostSentry is part of the Abacus Project
suite of security tools and is designed to function as a Login Anomaly
Detector. The tool is in early alpha phase and while some parts may be
buggy or incomplete, it is stable enough that it shouldn't cause any harm
to a host.
A few points about the tool:
1) Please read all the docs.
2) Some signature modules are not fully implemented.
3) Automated response actions are not implemented yet.
4) It has only been tested under RedHat 5.2 and OpenBSD. Early alpha
testers have also run it under Slackware and it should work on most Unix
systems (I hope).
5) There are some limitations for *BSD variants. Read the docs (and
README.wtmp) for details.
6) The tool is written in 100% Python and you'll want to have the latest
7) It's free, but please read the license.
You can get the tool from:
You can read about the other tools here:
You can subscribe to the mailing list by sending a subscribe message to:
What the tool actually does:
HostSentry monitors system login accounting records in real-time
(wtmp/utmp). These records are used to build a dynamic database of active
users and run a series of signature modules during the login and logout
phases. The signature modules are pluggable and easily activated or
deactivated by the admin. An example wrapper is included to allow
administrators to add new signatures. The current list of signatures
moduleLoginLogout - Generic audit trail of all user login and logouts.
moduleFirstLogin - Alerts administrators if this user is logging in for
the first time.
moduleForeignDomain - A login was detected from a domain not listed in the
allowed domains file.
moduleRhostCheck - A user's .rhosts file contains a wildcard or other
moduleHistoryTruncated - A user's .history file is missing, truncated to
zero bytes, or symlinked (i.e. /dev/null)
moduleOddDirnames - A user's directory contains suspicious directory names
on logout (" ..", "...", etc.)
moduleMultipleLogins - A single username has multiple concurrent logins
from different domains.
moduleOddLoginTime - A user is logging in at an odd hour for their usage
pattern (not implemented yet).
moduleInvalidUtmp - A corresponding utmp/wtmp entry for this login cannot
be found (entry possibly removed) (not implemented yet).
moduleHistorySuspicious - The user's history file contains suspicious
commands (not implemented yet).
moduleNetworkDaemon - The user logged out but left a listening network
socket operating (private web server, IRC bot, etc.) (not implemented
moduleFileExists - A file was found in the user's directory that is listed
in the banned/monitored list of the site (not implemented yet).
Other modules to be determined as I find time to implement them. The
modules that are not implemented yet will be done shortly once I start
getting more people testing and can work out the major bugs.
I don't want to make this too long, so if you have any more questions
please look at the webpage and read the docs.
Any comments on the tool are welcome.