Chapter 6Logging Reconnoiters

At times, you need to pay extra attention to who is connecting to your servers. For example, a series of attacks may have recently taken place, which you want to keep a close eye on, or you might just be super paranoid in general, thanks to the sensitivity of your data or the critical nature of your service.

One relatively unsophisticated approach to monitoring those machines that are making a reconnaissance of your servers would be to log the IP addresses that run pings and traceroutes against them. You may think that the information you manage to glean isn't going to be of much use, but it can actually be really important in building a picture of who connects to your servers, how often, and when. Akin to studying Closed Circuit Television (CCTV) video footage of people visiting an office, after a while, you get to know who stands out as unusual or who might not be expected on a given day. Log files are fantastic because you can forget about them only to return for analysis months later.

If you need to keep a vigilant eye on your servers, for whatever reason, then the trick to monitoring your system properly depends, in my opinion, on two things. First, you need a reliable daemon running in the background, listening like a sentry; it should be reliable so it doesn't introduce a race condition and cause your server to fail. Second, you need minimal logging so that you can go back to check your log file in a year's time and find the necessary information ...

Get Linux Server Security now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.