This article will introduce a new tool called Monit, and two commonly used software Pushover and Slack.
Recently, the latest research results from Gartner (an IT company engaged in information technology research and analysis) show us the whole picture of APM (Application Management System); at the same time, in recent years, people have gradually realized that maintaining APM system security importance. This can't help but remind us of the efficient APM products provided by AppDynamics, an enterprise application management service provider.
This year, information security company Inversoft has published a series of security articles, collectively referred to as "2016 User Data Security Guidelines". This article is the 10th article in the series about introducing server security serialization in this guide.
Although most web servers do not support users to log in and log out frequently, when a user logs in to the web server, as an administrator, you must be notified at the first time to know the user's situation. There are many ways to do this. Next, we will introduce a message push tool called Monit to help server administrators achieve this goal. You can browse some system log files through Monit, and get some messages containing specific documents; at the same time, Monit will send an alert to the system according to the security of these messages. The first step to install Monit is: in the root command window of the system, execute the following code:
After the installation is complete, you can create a system configuration file to monitor the login status of SSH. At the same time, you need to copy and paste the previously created configuration file to the folder with the path /etc/monit/conf.d/ssh-logins:
check file ssh_logins with path /var/log/auth.log
The configuration file requires that Monit must monitor the file /var/log/auth.log at all times; at the same time, once Monit detects a command line containing the words "Accepted keyboard-interactive/pam", it will immediately call the police. After you complete the above two steps, the SSH system will add a log record matching the above configuration to the file. If you do not enable the two-factor authentication function, or only use the key authentication method, then your configuration information needs to be modified, and must be consistent with the string "Accepted publickey".
You can also revoke matching settings for certain IP addresses on the whitelist, and create a /etc/monit/whitelist_ips.regex file. This file will contain separate command line statements for each IP address on the whitelist.
Compiling the /etc/monit/monitrc file is the last step in the entire configuration process. Add code to the configuration file with the ability to send an alert email to the administrator. This configuration process will vary depending on the SMTP email server you are using, the authentication method required by the SMTP server, and your email address. In the example below, I am using my own email address and the email server provided by Sendgrid.
The second line of code is to give an instruction to Monit, that is, as long as the system sends out an alarm, it must notify me by email at the first time, and at the same time ignore the alarm I set by myself. If you choose to use Monit to perform tasks such as system monitoring and system restart, the above settings will greatly reduce the amount of spam you receive.
You definitely want to be notified of news from Monit as soon as possible. By default, Monit checks every 2 minutes. If you think this period is too long, you can modify its default setting and change the check period to 5 seconds. The configuration code is the first line of code in the /etc/monit/monitrc file, as follows: