[ale] Monitoring Ubuntu Servers
Omar Chanouha
ofosho at gatech.edu
Mon May 16 14:49:43 EDT 2011
Thanks to everyone for the suggestions. I will look into all of them.
If you do have that meeting sometime soon, is there a way to get the
notes or a video of it? Won't be in ATL for a while.
Thanks,
-O
P.S.
>but you've probably already blocked all but
>key-based logins anyway, right?
Yes.
On Sat, May 14, 2011 at 11:35 AM, JD <jdp at algoloma.com> wrote:
>
>>>> I have 2 ubuntu servers that I maintain at work. I would like some
>>>> way to be able to monitor them in order to detect intruders.
>>>> Specifically things like CPU usage, RAM usage, HD usage, currently
>>>> logged in users, running processes and IP connections. There seems to
>>>> be a lot of options out there, but I am wondering what the people on
>>>> this list use/would recommend because I know many on this list are
>>>> seasoned sys admins. Command line tools are just as welcome as GUI
>>>> apps, as long as they get the job done.
>
> As I re-read this, it is clear that you don't really want a system
> monitoring solution alone. You want to lock down the box and possibly
> deploy an IDS/IPS too.
>
> I know I could use some advice on more efficient ways to protect
> servers and services from
> - script attacks
> - IP based attacks
> - buffer overflow attempts
> - attempts to access "privileged" apps (phpadmin/webmin, etc.
> - failed authentications and attacks
>
> If everything on the machine is open to the world, first I enable
> IPtables and start closing all the connections you can. There are lots
> of firewall builders and does the machine ever need to initiate ssh
> outside your subnet? Block it.
>
> The specific services running on the boxes would help anyone suggest
> protective techniques. For example, fail2ban will watch lots of
> connections for authentication failures and block IPs dynamically. It is
> great for ssh connections - but you've probably already blocked all but
> key-based logins anyway, right?
>
> TCP wrappers is built in for most common services, to you can setup the
> /etc/hosts.allow and /etc/hosts.deny as needed to limit internal access
> by subnet.
>
> For web traffic, reverse proxies can block undesired attempts at all
> sorts of attacks. Lock down the web server to only accept traffic from
> the proxy/load balancer. There are apache modules to look for
> attackers and deal with them too. If you have a DB running, lock down
> the network-based access or disable it if you can.
>
> Perhaps this would be a good topic for an ALE meeting - a short
> presentation on securing a box, followed by a round table discussion,
> followed with exact techniques and config files that we've all deployed.
>
> Can someone comment on IDS/IPS solutions under Linux?
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
More information about the Ale
mailing list