This time we'll talk a little about openSSH server, scp, system monitoring using /var/log, network
monitoring use, darkstat,iptraf and netstat.
OpenSSH server
OpenSSH is a freely available version of the Secure Shell (SSH) protocol
family of tools for remotely controlling a computer or transferring files
between computers. Traditional tools used to accomplish these functions, such
as telnet or rcp, are insecure and transmit
the user's password in cleartext when used. OpenSSH provides a server daemon
and client tools to facilitate secure, encrypted remote control and file
transfer operations, effectively replacing the legacy tools.
The OpenSSH server component, sshd, listens continuously
for client connections from any of the client tools. When a connection request
occurs, sshd sets up the correct connection depending on the
type of client tool connecting. For example, if the remote computer is
connecting with the ssh client application, the OpenSSH server
sets up a remote control session after authentication. If a remote user
connects to an OpenSSH server with scp, the OpenSSH server
daemon initiates a secure copy of files between the server and client after
authentication. OpenSSH can use many authentication methods, including plain
password, public key, and Kerberos tickets.
SCP
Secure Copy
or SCP is a means of securely
transferring computer files between a local and a remote host or between two remote hosts. It is based
on the Secure Shell
(SSH) protocol.
SCP uses Secure Shell
(SSH) for data transfer and utilizes the same mechanisms for authentication,
thereby ensuring the authenticity and confidentiality
of the data in transit. A client can send (upload) files to a server,
optionally including their basic attributes (permissions, timestamps). Clients
can also request files or directories from a server (download). SCP runs over TCP port
22 by default. Like RCP, there is no RFC that defines the specifics of the
protocol.
Normally, a client initiates an SSH connection to
the remote host, and requests an SCP process to be started on the remote
server. The remote SCP process can operate in one of two modes: source mode,
which reads files (usually from disk) and sends them back to the client, or
sink mode, which accepts the files sent by the client and writes them (usually
to disk) on the remote host. For most SCP clients, source mode is generally
triggered with the -f flag (from), while sink mode is triggered with -t (to).
These flags are used internally and not documented outside the scp source code.
System
Monitoring Using /var/log
Almost all
logfiles are located under /var/log directory (and subdirectory). You can
change to this directory using cd command but you need to be the root user. You
can use less, more, cat or tail command to see the logs.
Go to
/var/logs directory:# cd /var/logsView common log file /var/log/messages using any one
of the following command:# tail -f /var/log/messages
# less /var/log/messages
# more -f /var/log/messages
# vi /var/log/messages
# less /var/log/messages
# more -f /var/log/messages
# vi /var/log/messages
Output:
Jul 17 22:04:25 router
dnsprobe[276]: dns query failed
Jul 17 22:04:29 router last message repeated 2 times
Jul 17 22:04:29 router
dnsprobe[276]: Primary DNS server Is Down... Switching To Secondary DNS
server
Jul 17 22:05:08 router
dnsprobe[276]: Switching Back To Primary DNS server
Jul 17 22:26:11 debian -- MARK --
Jul 17 22:46:11 debian -- MARK --
Jul 17 22:47:36 router
-- MARK --
Jul 17 22:47:36 router
dnsprobe[276]: dns query failed
Jul 17 22:47:38
debian kernel: rtc: lost some interrupts at 1024Hz.
Jun 17 22:47:39
debian kernel: IN=eth0 OUT=
MAC=00:0f:ea:91:04:07:00:08:5c:00:00:01:08:00 SRC=61.4.218.24 DST=192.168.1.100
LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=21599 DF PROTO=TCP SPT=59297 DPT=22
WINDOW=5840 RES=0x00 SYN URGP=0
Common Linux log files name
and usage
- /var/log/message: General message and system related stuff
- /var/log/auth.log: Authenication logs
- /var/log/kern.log: Kernel logs
- /var/log/cron.log: Crond logs (cron job)
- /var/log/maillog: Mail server logs
- /var/log/qmail/ : Qmail log directory (more files inside this directory)
- /var/log/httpd/: Apache access and error logs directory
- /var/log/lighttpd: Lighttpd access and error logs directory
- /var/log/boot.log : System boot log
- /var/log/mysqld.log: MySQL database server log file
- /var/log/secure: Authentication log
- /var/log/utmp or /var/log/wtmp : Login records file
- /var/log/yum.log: Yum log files
In short
/var/log is the location where you should find all Linux logs file. However
some applications such as httpd have a directory within /var/log/ for their own
log files. You can rotate log file using logrotate
software and monitor logs files using logwatch
software.
Network
monitoring use
The term network
monitoring describes the use of a system that constantly monitors a computer
network for slow or failing components and that notifies the network administrator (via email, pager or
other alarms) in case of outages. It is a subset of the functions involved in network management.
While an intrusion detection system monitors a
network for threats from the outside, a network monitoring system monitors the
network for problems caused by overloaded and/or crashed servers, network
connections or other devices.
For example, to determine the status of a webserver, monitoring software may
periodically send an HTTP request to fetch a page. For email servers, a test
message might be sent through SMTP and retrieved by IMAP or POP3.
Commonly measured metrics are response time, availability
and uptime,
although both consistency and reliability metrics are starting to gain
popularity. The widespread addition of WAN
optimization devices is having an adverse effect on most network
monitoring tools -- especially when it comes to measuring accurate end-to-end
response time because they limit round trip visibility.
Status request failures - such as when a connection cannot be established,
it times-out, or the document or message
cannot be retrieved - usually produce an action from the monitoring system.
These actions vary -- an alarm may be sent (via SMS, email, etc.) To the
resident sysadmin,
automatic failover systems may be activated to remove the troubled server from
duty until it can be repaired, etc.
Darkstat
Darkstat is a packet sniffer that runs as a
background process on a cable/DSL router, gathers all sorts of statistics about
network usage, and serves them over HTTP.
Author of the program, Emil Mikulic, had "ntop" in use for
a long time. But he was disaffected of its stability issues and its bad memory
behavior. For this reason he developed "darkstat".
Installation:
OpenSuSe user can use "1-click" installer to install darkstat -
Ubuntu / debian: $ sudo apt-get install darkstat
To start DarkStat
Installation:
OpenSuSe user can use "1-click" installer to install darkstat -
Ubuntu / debian: $ sudo apt-get install darkstat
To start DarkStat
# darkstat
-i eth0
where “eth0″ is the interface
that you monitor traffic coming in and going out. Change it as in your system.
Now, darkstat starts and sniffs in the background and loads a simple web interface at http://localhost:667 or if you are browsing from a different machine then http://:667 (example: http://192.168.1.1:667)
Now, darkstat starts and sniffs in the background and loads a simple web interface at http://localhost:667 or if you are browsing from a different machine then http://:667 (example: http://192.168.1.1:667)
At the "hosts" tab you can see all the machines which take
part in the communication. These can be arranged by the caused traffic or their
particular IP address. By this possibility you can detect the machines, which
have produced the highest traffic in the local network, very fast. Thereby the
responsible system administrator has a chance to get to the bottom of a
problem.
IPTraf
IPTraf
is a very useful ncurses-based application that shows the traffic passing
through your machine.
On startup,
you can immediately see all network traffic on your machine by choosing "IP
traffic monitor." The configuration menu enables you to change the logging
interval (under Timers) or add monitoring of ports above 1023, as these aren't
monitored by default. You can also turn on DNS lookups and service name lookups to get names rather
than numbers.
One of the
best points of iptraf is its flexible traffic-filtering options. In the Add Filters screen, the
left-hand set of filters are for the source address; the right-hand for the destination.
A value of 0.0.0.0 for IP address and netmask translates to "all
hosts." The I/E at the bottom control whether matching data is included or
excluded.
An important
point is that iptraf interprets filters to mean "include/exclude this data, and show
nothing else." For including data, this works fine. But if you exclude
a particular set of data, that data won't be shown; nor will any other data.
You must add a second filter, which has both sets of address and mask as
0.0.0.0, and that has "Y" by all the protocols, to show the rest of
the traffic. Filters are applied in order, so this general filter must be the
last in the chain.
After you've
defined the filter, you need to use the "Apply filter" option from
the Filters - IP menu, before using the display again to examine the data you
want.
Netstat
netstat (network statistics) is a command-line tool
that displays network connections (both incoming and
outgoing), routing tables, and a number of network interface statistics. It is
available on Unix,
Unix-like,
and Windows NT-based
operating systems.
It is used for finding problems in the network and to determine the amount
of traffic on the network as a performance measurement.
Netstat provides
statistics for the following:
- Local Address - The IP address of the local computer and the port number being used. The name of the local computer that corresponds to the IP address and the name of the port is shown unless the -n parameter is specified. If the port is not yet established, the port number is shown as an asterisk (*).
- Foreign Address - The IP address and port number of the remote computer to which the socket is connected. The names that corresponds to the IP address and the port are shown unless the -n parameter is specified. If the port is not yet established, the port number is shown as an asterisk (*).
- State - Indicates the state of a TCP connection. The possible states are as follows: CLOSE_WAIT, CLOSED, ESTABLISHED, FIN_WAIT_1, FIN_WAIT_2, LAST_ACK, LISTEN, SYN_RECEIVED, SYN_SEND, and TIME_WAIT. For more information about the states of a TCP connection