New Security Tool: HostSentry 0.02 Alpha 
Author Message
 New Security Tool: HostSentry 0.02 Alpha


After a long delay I'm happy to announce the alpha release of a new
security tool called HostSentry. HostSentry is part of the Abacus Project
suite of security tools and is designed to function as a Login Anomaly
Detector. The tool is in early alpha phase and while some parts may be
buggy or incomplete, it is stable enough that it shouldn't cause any harm
to a host.

A few points about the tool:

1) Please read all the docs.
2) Some signature modules are not fully implemented.
3) Automated response actions are not implemented yet.
4) It has only been tested under RedHat 5.2 and OpenBSD. Early alpha
testers have also run it under Slackware and it should work on most Unix
systems (I hope).
5) There are some limitations for *BSD variants. Read the docs (and
README.wtmp) for details.
6) The tool is written in 100% python and you'll want to have the latest
version ( http://www.*-*-*.com/ ).
7) It's free, but please read the license.

[Moderator's note: excerpt from license: "(...) These works may not to be
used in part or in whole of a commercial product offering without express
written consent from the author. Permission is granted to modify source code
for personal use only. Distribution of modified source code without the
author's permission is prohibited. (...)"]

You can get the tool from:


You can read about the other tools here:


You can subscribe to the mailing list by sending a subscribe message to:

What the tool actually does:

HostSentry monitors system login accounting records in real-time
(wtmp/utmp). These records are used to build a dynamic database of active
users and run a series of signature modules during the login and logout
phases. The signature modules are pluggable and easily activated or
deactivated by the admin. An example wrapper is included to allow
administrators to add new signatures. The current list of signatures

moduleLoginLogout - Generic audit trail of all user login and logouts.

moduleFirstLogin - Alerts administrators if this user is logging in for
the first time.

moduleForeignDomain - A login was detected from a domain not listed in the
allowed domains file.

moduleRhostCheck - A user's .rhosts file contains a wildcard or other
dangerous modification.

moduleHistoryTruncated - A user's .history file is missing, truncated to
zero bytes, or symlinked (i.e. /dev/null)

moduleOddDirnames - A user's directory contains suspicious directory names
on logout (" ..", "...", etc.)

moduleMultipleLogins - A single username has multiple concurrent logins
from different domains.

moduleOddLoginTime - A user is logging in at an odd hour for their usage
pattern (not implemented yet).

moduleInvalidUtmp - A corresponding utmp/wtmp entry for this login cannot
be found (entry possibly removed) (not implemented yet).

moduleHistorySuspicious - The user's history file contains suspicious
commands (not implemented yet).

moduleNetworkDaemon - The user logged out but left a listening network
socket operating (private web server, IRC bot, etc.) (not implemented

moduleFileExists - A file was found in the user's directory that is listed
in the banned/monitored list of the site (not implemented yet).

Other modules to be determined as I find time to implement them. The
modules that are not implemented yet will be done shortly once I start
getting more people testing and can work out the major bugs.

I don't want to make this too long, so if you have any more questions
please look at the webpage and read the docs.

Any comments on the tool are welcome.

Thank you,

-- Craig


<P><A HREF=" http://www.*-*-*.com/ ;>HostSentry 0.02
Alpha</A> - UNIX login anomaly detector (commercial product).  (26-Mar-99)

----------- comp.lang.python.announce (moderated) ----------

Python Language Home Page:   http://www.*-*-*.com/
Python Quick Help Index:     http://www.*-*-*.com/

Sun, 30 Sep 2001 03:00:00 GMT  
 [ 1 post ] 

 Relevant Pages 

1. strongForth 0.02 available

2. ANNOUNCE: SCons 0.02 now available

3. The M2 Python Crypto Toolkit 0.02

4. MUES 0.02

5. ANNOUNCE: SCons 0.02 now available

6. M2Crypto 0.02 - now does SSL

7. ANN: yawPyCrypto 0.02

8. Tcl_Gtk 0.02

9. tcl_gtk: Re: Tcl_Gtk 0.02

10. Backup and security tools or libs needed

11. Need testers for security tool written in Python.

12. Cool security tool released:


Powered by phpBB® Forum Software