I have a personal VPS for my blog and side projects. Recently I noticed something fishy is going on on my server: some bins are gone, ssh last login IPs belongs to a docker container even if it’s me, etc.
I currently have no way to confirm if my server is compromised, and if it’s, how it’s compromised. The only security measure I have is disallowing ssh login via password.<p>I wonder if there are books or resources on how to:<p>1. Monitor the security of a Linux server, e.g., successful ssh logins, files written to where shouldn’t be any writes, etc.
2. Alert when intrusion happens.
3. Some way of telling if the current server is compromised
4. If the server is compromised, a report on what the intruder actually did.<p>My knowledge in the server security area is pretty scant, if there are other things I should pay attention to, please let me know.
Well for part of your question you can use rootkithunter (<a href="http://rkhunter.sourceforge.net" rel="nofollow">http://rkhunter.sourceforge.net</a>).<p>Google hardening <your distro> should give a lot of info on best practices.
OSSEC is good for monitoring logs, system files, etc. as well as alerting (and blocking traffic if you want) when anything suspicious happens<p>Takes a bit of work to set up but is worth it and includes lots of basic checks by default<p><a href="https://www.ossec.net/" rel="nofollow">https://www.ossec.net/</a>