[ale] Monitoring Ubuntu Servers

arxaaron arxaaron at gmail.com
Mon May 16 16:33:21 EDT 2011


On 2011/05/16, at 14:49 , Omar Chanouha wrote:

> Thanks to everyone for the suggestions. I will look into all of them.
> If you do have that meeting sometime soon, is there a way to get the
> notes or a video of it? Won't be in ATL for a while.
>
> Thanks,

[OT]
The above suggests that someone offered a presentation
on the topic of  system / server monitoring.  If so, please
contact me directly and I'll see if we can't get this booked.
[/OT]

peace
aaron




> -O
>
> P.S.
>
>> but you've probably already blocked all but
>> key-based logins anyway, right?
>
> Yes.
>
> On Sat, May 14, 2011 at 11:35 AM, JD <jdp at algoloma.com> wrote:
>>
>>>>>     I have 2 ubuntu servers that I maintain at work. I would  
>>>>> like some
>>>>> way to be able to monitor them in order to detect intruders.
>>>>> Specifically things like CPU usage, RAM usage, HD usage, currently
>>>>> logged in users, running processes and IP connections. There  
>>>>> seems to
>>>>> be a lot of options out there, but I am wondering what the  
>>>>> people on
>>>>> this list use/would recommend because I know many on this list are
>>>>> seasoned sys admins. Command line tools are just as welcome as GUI
>>>>> apps, as long as they get the job done.
>>
>> As I re-read this, it is clear that you don't really want a system
>> monitoring solution alone. You want to lock down the box and possibly
>> deploy an IDS/IPS too.
>>
>> I know I could use some advice on more efficient ways to protect
>> servers and services from
>> - script attacks
>> - IP based attacks
>> - buffer overflow attempts
>> - attempts to access "privileged" apps (phpadmin/webmin, etc.
>> - failed authentications and attacks
>>
>> If everything on the machine is open to the world, first I enable
>> IPtables and start closing all the connections you can.  There are  
>> lots
>> of firewall builders and does the machine ever need to initiate ssh
>> outside your subnet? Block it.
>>
>> The specific services running on the boxes would help anyone suggest
>> protective techniques.  For example, fail2ban will watch lots of
>> connections for authentication failures and block IPs dynamically.  
>> It is
>> great for ssh connections - but you've probably already blocked all  
>> but
>> key-based logins anyway, right?
>>
>> TCP wrappers is built in for most common services, to you can setup  
>> the
>> /etc/hosts.allow and /etc/hosts.deny as needed to limit internal  
>> access
>> by subnet.
>>
>> For web traffic, reverse proxies can block undesired attempts at all
>> sorts of attacks.  Lock down the web server to only accept traffic  
>> from
>> the proxy/load balancer.   There are apache modules to look for
>> attackers and deal with them too.  If you have a DB running, lock  
>> down
>> the network-based access or disable it if you can.
>>
>> Perhaps this would be a good topic for an ALE meeting - a short
>> presentation on securing a box, followed by a round table discussion,
>> followed with exact techniques and config files that we've all  
>> deployed.
>>
>> Can someone comment on IDS/IPS solutions under Linux?
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo



More information about the Ale mailing list