New to Ubuntu Server, which logs to monitor and what to do [closed]

Solution 1:

I suggest you look at the logcheck-package - it monitors most (if not all) relevant logs and sends you hourly summaries of any and all suspect entries. Note it sends e-mail, so you have to set up a server for that too...

As to failed SSH logins, I suggest you look at using a firewall to block all access by unknown hosts - try looking at Ubuntu's "Uncomplicated FireWall", ufw.

Finally, I suggest you go look at the official Ubuntu Server Guide.

(For good measure, I usually install these on all servers; munin for monitoring, backupninja (name says all), etckeeper for keeping track of /etc and, as mentioned, logcheck.)

Solution 2:

I'd tend to use logwatch, rather than logcheck (although, that's a matter of taste more than anything). For securing ssh, I'd start by installing fail2ban, which will block those who continually fail to login. I wouldn't bother changing the ssh port, it's still trivial to find, due to ssh's connection string, and is really more trouble than it is a benefit. Also, you should forbid root logins over ssh, by changing PermitRootLogins in /etc/ssh/sshd_config to 'no'.

I can't tell you how to track down previous large amounts of traffic, but netstat/lsof -i would give you lists of connections, which may help if you see it again.