Re: Tracking use of your central credentials

[Bob Bayn <bob.bayn () USU EDU>]

Thanks, Mike.  I used to do that sort of thing with our old credential system that served our email system and things 
like the proxy and vpn servers.  But now all the logs are distributed and under the control of various sysadmins.  I'm 
looking for support for a way to get those logs pooled again with a query tool that the security team will have access 
to.

But, thanks for the example of someone who is able to do some of this.

Bob Bayn     (435)797-2396     Security Team coordinator
"IT will NEVER ask for your password via email, honest!"
Office of Information Techology at Utah State University
________________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mike Iglesias 
[iglesias () UCI EDU]
Sent: Thursday, November 20, 2008 4:55 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Tracking use of your central credentials

Bob Bayn wrote:
> We'd like to be able to tell which credentials are being used to login from China so we can check with those users to 
> see if they ARE in China.

If you can parse your logs with perl, you can use the Geo::IP::PurePerl module
(available from CPAN) to get the two character country code for the IP used,
and then generate your reports based on that.  For example, we use that module
to generate reports for users of our VPN service so they can tell if their
ID/password is being misused from outside the US.  You do have to keep a
database up to date but it's only updated once a month at the source so it's
not that hard.  Just download the new file and replace the old one with it.


--
Mike Iglesias                          Email:       iglesias () uci edu
University of California, Irvine       phone:       949-824-6926
Network & Academic Computing Services  FAX:         949-824-2270