NoNox 1.17 review
DownloadNoNox watches log files for events such as "failed password". When such a pattern is seen several times within a specified time peri
|
|
NoNox watches log files for events such as "failed password".
When such a pattern is seen several times within a specified time period (for example, 4 failed login attempts within 10 minutes) from the same source, NoNox can execute a command to mitigate the behavior, notify someone, or make a record of the event (or all these things).
The patterns, time limits, files to monitor, and commands that can be triggered are all user-specified, so NoNox can be used to detect many kinds of events and to respond in a variety of ways.
I use NoNox to monitor for password-scanning attacks, and to block attacking hosts at the firewall in real-time.
Risks of using NoNox
NoNox must run as a user with sufficient rights to read the files that it monitors, and to execute the triggered commands. This may introduce new vulnerabilities that are unacceptable for some systems.
NoNox could be compromised via exploitation of a bug in the program, through an outside stimulus that causes the program to respond in an unexpected fashion, or through compromise of the NoNox configuration file that causes NoNox to execute commands not intended by the operator.
Risks of using any real-time automated intrusion detection+response system Detection and responses to possible attacks must be carefully thought out when configuring any software that attempts to stop attacks in real time by changing a running system.
Denial of service attacks could be facilitated, allowing an outsider to lock out a legitimate user through carefully crafted, forged messages.
If the protective software can disable access to a host, and the configuration file's pattern matching is overbroad, or if the triggered commands carry out overbroad actions (e.g. locking out an account) it's possible that configuration errors could lock out legitimate users or otherwise interfere with a properly-running server.
Requirements:
Java 1.4 or later
NoNox 1.17 keywords