Archive for the tag 'monitor'

Using acpi_listen to monitor ACPI events

If ACPI is running on your system, you can monitor ACPI events using the acpi_listen command. As root user, type the following from a Terminal window:

# acpi_listen
ac_adapter AC 00000080 00000000
processor CPU 00000080 00000000
processor CPU 00000081 00000000
battery BAT0 00000080 00000001
ac_adapter AC 00000080 00000001
processor CPU 00000080 00000000
processor CPU 00000081 00000000
battery BAT0 00000080 00000001
button/lid LID 00000080 00000001
button/lid LID 00000080 00000002

The message above appeared when the AC power was disconnected, the power was reconnected, the laptop’s lid was closed and the lid was again opened.

Using RPM Verify to Monitor Changes to System Files

It is important for administrators of critical server systems to be able to track changes to files on their systems. Tracking file changes helps detect accidental or malicious modifications such as viruses, root kits, or hacking activity. RPM, the package management system used for all RPM based Linux distributions, provides an easy mechanism for tracking these changes. When a package is installed, the RPM database stores information about each file belonging to that package including the size, date, and MD5 sum among others. This data can later be compared to the existing files on the system to detect any changes.

Verifications are performed with the rpm command and the -V flag. This command should be executed as root so that all file attributes can be read from the system without file permissions getting in the way. For example:

To verify all files in the RPM database:

# rpm -Va

To verify all files belonging to a package, packagename:

# rpm -V packagename

To verify all files belonging a particular RPM file (local, FTP, HTTP):

# rpm -V path_to_the_file.rpm

All applicable files are checked, and any discrepancies are shown. The output is a string of eight characters, followed by an optional attribute marker. The string of eight characters indicates changes in size, permissions, MD5 sum, etc.

S file Size differs
M Mode differs (includes permissions and file type)
5 MD5 sum differs
D Device major/minor number mis-match
L readLink(2) path mis-match
U User ownership differs
G Group ownership differs
T mTime differs

For example:

S.5….T c /etc/wvdial.conf

This example shows that the configuration file, /etc/wvdial.conf, has a different size, MD5 sum, and modified time than the RPM database has on record. In this case, this is probably okay–it is a configuration file and it is normal for them to change.

Tcpdump to monitor SMTP activity from a IP or range of IP

The tcpdump is a useful utility to monitor the network activity in the server.

tcpdump -i eth0 -n src 192.168.1.22 \or dst 192.168.1.22 -w smtp.tcpdump -s 2048

You can monitor the SMTP activity to find out the mail account used by spammer.
The above command will monitor the SMTP activity from the IP address 192.168.1.4 and will log to the file smtp.tcpdump.

Use the following command to monitor a range of IP

tcpdump -i eth0 -n src net 119.91.0.0/16 \or dst net 119.91.0.0/16 -w smtp.tcpdump -s 2048

The above command will monitor the range of IP starting with 119.91. You can use Wireshark to analyze the dump file.

For VPS you need to use venet0:0

tcpdump [ -AdDeflLnNOpqRStuUvxX ] [ -c count ]
[ -C file_size ] [ -F file ]
[ -i interface ] [ -m module ] [ -M secret ]
[ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
[ -W filecount ]
[ -E spi@ipaddr algo:secret,... ]
[ -y datalinktype ] [ -Z user ]
SBDavid

chkservd service monitor

chkservd service monitor

chkservd is a service running on Cpanel servers. chkservd service monitors other service, if any of the service that is monitored by chkservd is found down, chkservd will restart the service and notify server admin

You can start, stop chkservd with following commands

service chkservd start
service chkservd stop
/etc/rc.d/init.d/chkservd start
/etc/rc.d/init.d/chkservd stop

cPanel offers ‘chkservd’, a monitoring daemon that monitors the services on the server and restart them if found offline.