I am administering a server with Ubuntu Server which is running pureFTP.
So far all is well, but I would like to know what I should be monitoring so that I can spot any potential stability and security issues. I'm not looking for sophisticated software, more an idea of what logs and process statistics are most useful for checking on the health of the system.
I'm thinking that I can look at various parameters output from the "ps" command and compare to see if I have things like memory leaks. But I would like to know what experienced admins do.
Also, how do I do a disk check so that when I reboot, I don't get a message saying something like "disk not checked for x days, forcing check" which delays the reboot? I assume there is command that I can run as a cron job late at night. How often should it be run?
What things should I be looking at to spot intrusion attempts? The only shell access is SSH on a non-standard port through UFW firewall, and I regularly do a grep on auth.log for "Fail" or "Invalid". Is there anything else I should look at?
I was logging the firewall (UFW) but I have very few open ports (FTP and SSH on a non standard port) so looking at lists of IP's that have been blocked did not seem useful.
I'd keep an eye on the
/var/log/messages
and any FTP related logs in/var/log
. Of course, any, or most logs in/var/log
should be monitored for errors.Performing a disk check shouldn't be an issue. You shouldn't really be doing disk checks at night, or even every so often. The disks usually are very non-contiguous, so therefore, you aren't going to have much fragmentation. If you really want to set one up, the command would simply be
fsck /device/name
. HOWEVER, BIG NOTE: you should NEVER run this on a mounted device, so don't expect to run this on the root file system, or any filesystem without unmounting it first, which means, most of the time (especially if you are referring to the root device), that you would need to do this upon reboot. I don't expect you will be rebooting the Ubuntu box regularly; just for kernel upgrades.I'd just keep an eye out for
auth.log
, that's a good measure.