Basic Server Security – System Monitoring And Intrusion Detection Systems

Welcome back to our series on basic server security. Previously we’ve looked at why you need to secure your server, using a firewall to help secure it, and the importance of using multiple users and access controls. In this article we’ll be looking at system monitoring and intrusion detection.

System Monitoring

System monitoring tools are designed to ease the load of managing what your server is doing. Some such as top and ps in Linux, or Resource Monitor in Windows, provide a way of seeing how your server is currently performing but do involve you being logged in and actively monitoring the system. Fortunately there are a number of tools that allow you to monitor your servers remotely, and even send alerts should they detect certain criteria. Tools like Nagios and Zabbix allow you to monitor multiple servers in a central place, although they can be complicated to build as they can require complex scripts to configure. Something like Monit on the other hand is a great tool for beginners as it is simple to configure. Also, it will not only monitor your system resources, but will also send alerts in the instance of system reboots, user logins, or software restarting.

Proactive Security

This is great in terms of basic administration as it generally means that should something go wrong on your server, then your monitoring software should alert you so you can fix it before your users notice. In terms of securing your server, these tools can also be helpful as they can be configured to alert on user logins which may help you spot an unauthorized access attempt. Similarly, alerting on high numbers of running processes, or process restarts can help with spotting the things an attacker may be doing on the server after they’ve gained access, hopefully alerting you before they can do too much damage.

What are IDS?

This leads us neatly on to intrusion detection systems (IDS). IDS tools are designed specifically to help spot an attacker’s intrusion to the system and identify what they may be doing on the server. These generally offer more advanced and specific features similar to the monitoring software functions described above. The functions range from monitoring network traffic for patterns that match known attack methods, monitoring system and other important files for changes, and in some cases monitoring user behavior for abnormalities. Should the IDS detect a potential breach of the server, it can alert the system administrator so that it can be dealt with swiftly and effectively.
Generally, once an attacker has gained access to a server, the first thing they’ll do is attempt to secure this access. This is normally done by installing patched versions of existing software containing backdoors that they can access, or installing malicious software that will run and call home to their command and control servers for further instructions. In some cases they may modify the user accounts to create their own accounts to use or modify existing account passwords. They’ll also generally attempt to improve the security of the server to prevent other attackers also gaining control of the server, often patching up the route they used to get in once establishing their own back door.
This results of this behavior is what both your monitoring and intrusion detection systems can detect, and will give you the heads-up that your server has been compromised. While no one wants their system to be hacked, it’s important to know if this has happened so that the appropriate steps can be taken to ensure data isn’t stolen or lost, and that the server isn’t misused.