Monitoring your system is an essential part of security. It helps you discover what attacks are being launched against your system so that you can concentrate on plugging popular holes. Monitoring also lets you know when someone has successfully penetrated your defenses.
Some basic Linux commands can help you learn what constitutes normal activity on your system so that you know when things are out of the ordinary:
• Use the who command to find out who is logged in and what they're doing.
• Use the last command to find out when people normally log in.
• Use the log files, such as /var/log/secure, to monitor access to network services and to monitor failed login attempts.
• Use ps to find out what processes are normally running.
• Develop a feel for your system. Intruders often change that feel.
Use these commands to establish a feel for normal operation. Do not expect these commands to catch an intruder in the act. Be aware that if your system is broken into, all of these commands will probably be replaced with altered versions designed to hide illicit activity, and the log file will probably be stripped of incriminating information.
Was this article helpful?