[ale] Monitoring Ubuntu Servers

JD jdp at algoloma.com
Sat May 14 11:35:15 EDT 2011 

>>>     I have 2 ubuntu servers that I maintain at work. I would like some
>>> way to be able to monitor them in order to detect intruders.
>>> Specifically things like CPU usage, RAM usage, HD usage, currently
>>> logged in users, running processes and IP connections. There seems to
>>> be a lot of options out there, but I am wondering what the people on
>>> this list use/would recommend because I know many on this list are
>>> seasoned sys admins. Command line tools are just as welcome as GUI
>>> apps, as long as they get the job done.

As I re-read this, it is clear that you don't really want a system
monitoring solution alone. You want to lock down the box and possibly
deploy an IDS/IPS too.

I know I could use some advice on more efficient ways to protect
servers and services from
- script attacks
- IP based attacks
- buffer overflow attempts
- attempts to access "privileged" apps (phpadmin/webmin, etc.
- failed authentications and attacks

If everything on the machine is open to the world, first I enable
IPtables and start closing all the connections you can.  There are lots
of firewall builders and does the machine ever need to initiate ssh
outside your subnet? Block it.

The specific services running on the boxes would help anyone suggest
protective techniques.  For example, fail2ban will watch lots of
connections for authentication failures and block IPs dynamically. It is
great for ssh connections - but you've probably already blocked all but
key-based logins anyway, right?

TCP wrappers is built in for most common services, to you can setup the
/etc/hosts.allow and /etc/hosts.deny as needed to limit internal access
by subnet.

For web traffic, reverse proxies can block undesired attempts at all
sorts of attacks.  Lock down the web server to only accept traffic from
the proxy/load balancer.   There are apache modules to look for
attackers and deal with them too.  If you have a DB running, lock down
the network-based access or disable it if you can.

Perhaps this would be a good topic for an ALE meeting - a short
presentation on securing a box, followed by a round table discussion,
followed with exact techniques and config files that we've all deployed.

Can someone comment on IDS/IPS solutions under Linux?

More information about the Ale mailing list