Sounds like nobody saw the tutorial I wrote on centreon a while back
Link?
I use centreon to monitor open ports/file systems/CPU/load/memory/ttys with a shell/ uptime/interface traffic/ and the booted kernel version
And for central syslog collection… I use rsyslog service on centos/rhel
Im not sure how jenkins does that, but the yaml is nice as its in git. And you can put shell scrips into git as well and call them from a shell runner in that yaml or you use a docker image in the docker runner that has a shell. Or you use a windows docker image and you can run ps1. You can use a different image for every stage. You can build custom docker images for your projects ci to speed up builds. Installing the stuff you need into the image beforehand instead of when the pipeline runs.
I have not used any other runner, other than docker and shell, but there is a bunch of them.
If you have a 200 line deployment script I dont think you should think about putting that into the yml (or youll have a very long yml very soon). You just add a line that then runs your shell script, in the deploy stage.
I thought i’d follow this up with a first, small, success story. After having set up my ELK Stack and throwing in two Webservers i’m currently deploying, i checked my Kibana today, and what do you know:
An unknown IP started trying to access one of the Servers last night. Every 30 Minutes a ssh connection is attempted with changing Usernames.
No major Problem, as SSH is configured to accept Keys only, and only for two existing users. This shows though, that a non-standard SSH port isn’t helping at all. This is not on port 22. Interesting none the less, as this would be traffic i would never see in our regular Monitoring or without looking into logs manually (which, lets face it, you don’t do for 50 servers daily).
I’m now blocking that IP on our Firewall and feel good, that the system is capable of Registering one of my major concerns. I’m now also looking into Geoblocking.
Finally, my company decided that we’ll Probably go with Nagios Log Server. It’s also using ES in the backend, but makes the whole thing configurable by our Windows Admins and offers out of the box Notifications. I’m pretty sure i can tap into that with Kibana if i really want to, or With Grafana.
What port are you using? Lots of people look for common like 2200, 2222, 222, etc… Just don’t use ssh on a non-standard port and use firewall+fail2ban to weed out the assholes. (also block regions you know you or other admins won’t be connecting from. You don’t need to allow Africa on your server. You probably don’t need to allow India or Russia or China either)
Good decision. If you can afford the licensing, it’s definitely worth it.
Not possible on a Firewall Level at least. We host Managed Exchange for around 200 Companies. Blocking by region would mean that our OWA wouldn’t be accessible there (Sophos only allows Country blocking globally on or off).
If there are particularly annoying addresses, i’ll block them seperately. But we’ll see how the actual traffic looks, once all Servers are in that system.
SSH Ports vary. Some are standard, some use 10022, or similar, and some use completely random ports. I’m in the process of making this better, but it takes time
Just use 22 and fail2ban.
Better to catch em.
Ok, i’m listening to you. I’ve never worked with fail2ban so far.
I’ve set this up on the machine in question. How would i configure it to catch a behavior like the one i’m seeing?
I’ve set the Bantime to 2 hours. Since the “attacker” is retrying every 30 odd minutes, i’ve set a findtime of 2 hours and maxretrys to 3.
Would this work as intended, or would you recommend a different configuration?
For reference, the jail.local:
[DEFAULT]
# Ban hosts for two hours:
bantime = 7200
findtime = 7200
maxretry = 3
# Override /etc/fail2ban/jail.d/00-firewalld.conf:
banaction = iptables-multiport
[sshd]
enabled = true
What about Zabbix ?
Its opensource free to use and you basicly only pay if need a service agreement
Yeah, that should work. Be sure to add exception ip ranges so you don’t ban yourself if you accidentally use the wrong keys.
Awesome update OP. Maybe sad to admit this but its some of the better entertainment I get at home is looking over logs of services at home. Maybe I’ll graduate to legit honeypots someday. One time my raspi webserver joined a botnet, Splunk + homemonitor was instrumental finding that out. Fun times. The pi had fail2ban installed plus behind a pfsense firewall with IPS. It was a weird wordpress plugin ping amplification type attack and a great learning experience about due-diligence but the ever present zero day threat. Its a large part why I subscribe to the security ethos that its not a matter of it but when, and I focus heavily on effective SIEM development- ‘the best disinfectant is sunlight’.