Monitoring Linux Security with the Linux Sensor Pack

Any IT engineer has war stories on how hackers tried or even succeeded to break into their systems. It is an ongoing battle that happens in the background, not really visible until one day you can find your systems "owned" by a script kiddie or by state-sponsored criminals.

We did a small experiment with our cloud provider and placed an internet-facing Linux machine, without any firewalls, using a plain-vanilla configuration. Ping was disabled though and root password modified.

Our Linux server is under attack

We deployed the AutoMonX Linux sensor pack to watch after the Linux server performance and security. Lo and behold, in a matter of a few hours the machine metrics, as reflected in our Linux sensor pack clearly showed it was under attack, as can be seen in the graph below.

The graph shows constant failed password and authentication failures as recorded by the Linux security log. These messages were automatically collected, parsed and displayed via the Linux sensor pack.

Analyzing the data collected during the passing month, it is obvious someone is really keen on breaking into our poor Linux and this guy took only short breaks which leads to the conclusion that the attack is automated and some hacking tools were deployed.

Why other performance indicators are not good enough?

Looking at other indicators such as CPU Load, Memory and even the sshd daemon specific performance indicators, couldn't reveal that the system is under attack. The attacker is clever enough to try to break-in without making too much noise.