Monitoring helps you catch security incidents, performance issues, and unusual behaviour before they become serious problems. This guide covers essential monitoring tools and techniques.
1. Check Who Is Logged In
See currently logged-in users:
who
w
View recent login history:
last
View failed login attempts:
lastb
2. Monitor Authentication Logs
Failed SSH login attempts are logged in:
# Ubuntu/Debian
cat /var/log/auth.log | grep "Failed password"
# Live monitoring
tail -f /var/log/auth.log
Signs of a brute-force attack: dozens of failed login attempts from the same IP or many IPs in quick succession.
3. Check Running Processes
See what's currently running:
top
# or the better alternative:
htop
Install htop if not available:
apt install htop -y
Look for: unfamiliar processes consuming high CPU or memory.
List all running processes:
ps aux
4. Check for Unusual Network Connections
See all active network connections:
ss -tulnp
# or
netstat -tulnp
Look for: open ports you didn't intentionally configure, or connections to unknown external IPs.
5. Check Disk Usage
Unexplained disk usage can indicate log flooding, crypto mining, or malware:
df -h # Overall disk usage by partition
du -sh /* # Usage by top-level directory
du -sh /var/* # Often where logs accumulate
6. Review System Logs
Key log files:
| Log File | What It Contains |
|---|---|
/var/log/auth.log |
SSH logins, sudo usage, authentication |
/var/log/syslog |
General system messages |
/var/log/nginx/access.log |
HTTP requests to your site |
/var/log/nginx/error.log |
Nginx errors |
/var/log/mysql/error.log |
MySQL errors |
Use grep to search for specific patterns:
grep "Invalid user" /var/log/auth.log
grep "404" /var/log/nginx/access.log
7. Set Up Logwatch for Daily Reports
Logwatch sends a daily email summary of system activity:
apt install logwatch -y
logwatch --output mail --mailto [email protected] --detail high
Automate daily reports by adding to /etc/cron.daily/00logwatch:
/usr/sbin/logwatch --output mail --mailto [email protected] --detail medium
8. Check Fail2Ban Status
If you have Fail2Ban installed, check which IPs have been banned:
fail2ban-client status
fail2ban-client status sshd
Unban an IP if needed:
fail2ban-client set sshd unbanip IP_ADDRESS
9. Set Up Uptime Monitoring
Use a free external monitoring service to get alerted when your server goes offline:
- UptimeRobot – Free, monitors every 5 minutes
- Freshping – Free tier available
- Better Uptime – Free tier with on-call alerts
These services ping your server from outside and notify you by email or SMS if it becomes unreachable.
Red Flags to Watch For
- 🚩 Unfamiliar user accounts in
/etc/passwd - 🚩 Unusual cron jobs - check with
crontab -landls /etc/cron.* - 🚩 High CPU usage from unknown processes
- 🚩 Large numbers of outbound connections (possible spam bot or DDoS participant)
- 🚩 Files modified in
/etc/unexpectedly - check withfind /etc -mtime -1
Quick Security Audit Commands
# List all users with login shells
grep -v nologin /etc/passwd
# Find files modified in the last 24 hours
find / -mtime -1 -type f 2>/dev/null | grep -v /proc
# Check for world-writable files (potential security risk)
find / -perm -002 -type f 2>/dev/null
# List all open ports
ss -tulnp
Questions? Email us at [email protected] - we reply in under 2 hours, 7 days a week.