On 1/20/06, Mike Miller <mbmiller at taxa.epi.umn.edu> wrote: > A friend has a Linux machine with many users. Suppose one or more users > is doing inappropriate things with the box like sending ping floods or > scanning networks. He would want to know about it. Is there any software > that is designed specifically to monitor for this kind of stuff and report > when it sees something unusual? A program like netstat can detect all > sorts of network activity, but it would have to be called at intervals and > its output would have to be parsed and analyzed by some other programs. First off - a little rant. If your friend can't trust his shell users, they have no right to be on that box. If he has *any* question whatsoever about their usage of the box, they should either be denied shell access until the details get sorted out or use a very limited shell. He could possibly think about using PKI auth with a limited command set. There are countless guides on the internet on this subject. I haven't had specific experience with Intrusion Detection Systems, but it seems like this would be the perfect application for one. Snort comes to mind. They're specifically designed to scan for and detect this sort of behavior, though I don't think they have the ability to be able to tell which user kicked off a portscan/ping flood/whatever. -Erik