How to monitor CentOS servers and detect and respond to security incidents in a timely manner

How to monitor CentOS servers and promptly discover and respond to security incidents

In the Internet era, servers play a vital role, carrying various businesses and data, so server security monitoring is particularly important. This article will introduce how to monitor CentOS servers and detect and respond to security incidents in a timely manner. We will discuss the following areas: system monitoring, network monitoring, log monitoring, and security event handling.

1. System Monitoring
   In order to detect server anomalies in time, we can use some tools to monitor the performance and status of the server. Commonly used system monitoring tools include Zabbix, Nagios, etc. Taking Zabbix as an example, we can install and configure it through the following steps:

1) Install Zabbix Server:

yum install zabbix-server-mysql zabbix-web-mysql -y

2) Install Zabbix Agent:

yum install zabbix-agent -y

3) Configure Zabbix Server and Agent:
In the Zabbix Server configuration file /etc/zabbix/zabbix_server.conf, modify the database connection information:

DBHost=localhost
DBName=zabbix
DBUser=zabbix
DBPassword=zabbix

In In the Zabbix Agent configuration file /etc/zabbix/zabbix_agentd.conf, set the IP address of Server and ServerActive to the IP address of Zabbix Server.

Server=Zabbix_Server_IP
ServerActive=Zabbix_Server_IP

4) Start Zabbix Server and Agent services:

systemctl start zabbix-server
systemctl start zabbix-agent

Access Zabbix Server through the Web interface to configure monitoring items and set alarm rules.

2. Network Monitoring
   In addition to system monitoring, we also need to monitor the network environment where the server is located in order to detect abnormalities in time. Commonly used network monitoring tools include NetData, Icinga, etc. Taking NetData as an example, we can install and configure it through the following steps:

1) Install NetData:

bash <(curl -Ss https://my-netdata.io/kickstart.sh)

2) Start the NetData service:

systemctl start netdata

Pass Visit http://serverIP:19999 with your browser to view the server's network status and performance information.

3. Log monitoring
   Log monitoring is very important, it can help us detect potential security issues in time. Commonly used log monitoring tools include ELK Stack (Elasticsearch, Logstash, Kibana), Graylog, etc. Taking ELK Stack as an example, we can install and configure it through the following steps:

1) Install and configure Elasticsearch:

rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
echo "[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md" | sudo tee /etc/yum.repos.d/elasticsearch.repo
yum install elasticsearch -y

vi /etc/elasticsearch/elasticsearch.yml
cluster.name: my-application
node.name: node-1
network.host: 0.0.0.0

2) Install and configure Logstash:

rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
echo "[logstash-7.x]
name=Elastic repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md" | sudo tee /etc/yum.repos.d/logstash.repo
yum install logstash -y

vi /etc/logstash/conf.d/logstash.conf
input {
  file {
    path => "/var/log/*.log"
    start_position => "beginning"
  }
}

output {
  elasticsearch {
    hosts => ["localhost:9200"]
  }
}

3) Install and configure Kibana:

echo "[kibana-7.x]
name=Kibana repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md" | sudo tee /etc/yum.repos.d/kibana.repo
yum install kibana -y

vi /etc/kibana/kibana.yml
server.host: "0.0.0.0"

4) Start Elasticsearch, Logstash and Kibana services:

systemctl start elasticsearch
systemctl start logstash
systemctl start kibana

Access via browser http://serverIP:5601, configure Kibana.

4. Security incident processing
   Once a security incident on the server is discovered, we need to handle and respond in a timely manner. Corresponding operations can be performed according to specific circumstances, such as blocking abnormal IPs, closing vulnerable services, repairing vulnerabilities, etc. The following is a sample code for blocking abnormal IP addresses:

   #!/bin/bash
   
   IP="192.168.1.100"
   
   iptables -I INPUT -s $IP -j DROP
   service iptables save

Save the above code as block_ip.sh and grant execution permissions:

chmod +x block_ip.sh

Execute the script to block the specified IP address:

./block_ip.sh

To sum up, we can achieve timely monitoring and security response to the CentOS server through system monitoring, network monitoring, log monitoring and security event processing. . Of course, these are just basic monitoring and processing methods. Depending on the specific situation and needs, we can also use more advanced tools and technologies to improve the security and stability of the server. I hope this article can be helpful to everyone.

The above is the detailed content of How to monitor CentOS servers and detect and respond to security incidents in a timely manner. For more information, please follow other related articles on the PHP Chinese website!