Analyzing server logs is absolutely critical for monitoring the health of your servers. Until you have a robust logging and monitoring solution in place, you'll want to tail them in real time. Let's get to it.
# tail the machine's syslog in the foreground sudo tail -f /var/log/syslog # you can also open up other panes in your terminal # to monitor the authlog sudo tail -f /var/log/authlog # or even server logs sudo tail -f /var/log/nginx/exampledomain.com
Now let's talk about the contents of your syslog. If your server is exposed to the internet, you're going probably going to see a growing list of authentication failure entries:
Nov 17 14:25:56 hostname sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.x user=root
This is a result of brute force attacks from bots trying to log in as the root user. Let's take some steps to prevent that from happening in the future.
If you only connect to the server from the same IP address, you can firewall off port 22 to everything except your IP address. However, just know that if you're trying to ssh into the server from home and you haven't set up a static IP through your ISP, expect your dynamic IP to change periodically. You'll have no choice by to access the server through the control panel of your hosting provider in order to update the iptables.
iptables -A INPUT -p tcp -d 0/0 -s my.own.ip.address --dport 22 -j ACCEPT iptables -A INPUT -p tcp -d 0/0 --dport 22 -j DROP iptables-save
You're going to want to run sshd on the server on a non-standard port. Here's the list of standard ports. Make sure not to override any of those. You can also firewall off this new port number since you're no longer using port 22. Before changing anything related to sshd, you'll want to make sure you can actually ssh into the machine. Here's a useful guide.
# login as root ssh root@hostname/IP # back up the config cp /etc/ssh/sshd_config /etc/ssh/sshd_config_backup # update the sshd_config sudo nano /etc/ssh/sshd_config
You should see the following contents:
# Package generated configuration file # See the sshd_config(5) manpage for details # What ports, IPs and protocols we listen for Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 1024 # Logging SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 120 PermitRootLogin without-password StrictModes yes
You'll want to change
Port to a new number and set
PermitRootLogin to "no".
Now restart sshd with
service sshd restart. Now when you ssh into the server, make sure you add the
-p(port) flag and new port number like so:
ssh email@example.com -p 50683. Here are some other useful commands:
# check if the sshd process is running ps aux | grep sshd # check if ssh is running on port 22 netstat -plant | grep :22 # check if the port 22 TCP file is open lsof
And there you have it. That should significantly reduce the number of authentication logs.
- Linux Server Security: Hack and Defend
- Linux Hardening in Hostile Networks: Server Security from TLS to Tor (Pearson Open Source Software Development Series)
- The Official Ubuntu Book
- A Practical Guide to Ubuntu Linux
- The Linux Command Line: A Complete Introduction
- Ubuntu 16.04 LTS Server: Administration and Reference