Linux Server Security Monitoring: Essential Commands

Linux server security monitoring has become an essential practice for organizations of all sizes in today’s threat landscape. With cyber attacks increasing in frequency and sophistication, system administrators must implement comprehensive monitoring strategies to protect their infrastructure. This guide provides practical, actionable techniques for detecting threats, analyzing suspicious activities, and maintaining robust security posture across your Linux environment.

For comprehensive security best practices, the NIST Cybersecurity Framework provides excellent guidance on implementing security monitoring within organizational contexts. Additionally, the Linux Security Module documentation offers detailed insights into kernel-level security implementations.

Effective security monitoring requires more than just running commands – it demands a systematic approach to log analysis, threat detection, and incident response. By implementing the strategies and tools discussed in this comprehensive guide, you’ll be equipped to identify potential security breaches before they escalate into major incidents.

How to Detect SSH Attack Patterns in Linux?

SSH (Secure Shell) represents one of the most common attack vectors for Linux servers, making SSH security monitoring a critical component of any security strategy. Attackers frequently target SSH services through brute force attacks, dictionary attacks, and credential stuffing attempts. Understanding these attack patterns is crucial for implementing effective detection mechanisms.

The OpenSSH documentation provides comprehensive guidance on SSH security hardening, while the SANS Institute’s SSH Security Guide offers detailed best practices for SSH deployment and monitoring. For additional protection, tools like Fail2Ban can automatically block suspicious IP addresses based on authentication failures.

The primary command for monitoring SSH attacks leverages journalctl to analyze system logs and identify failed authentication attempts. This approach provides real-time visibility into potential security threats while maintaining minimal system overhead. The command structure allows for flexible analysis of authentication logs, enabling administrators to quickly identify suspicious activity patterns.

journalctl -u ssh -n 1000 | grep "Failed password" | awk '{print $(NF-3)}' | sort | uniq -c | sort -nr | head -10

This command systematically processes the last 1000 SSH service log entries, filters for failed password attempts, extracts the source IP addresses, and presents them in order of attack frequency. The output reveals which IP addresses are most actively attempting to compromise your system, providing actionable intelligence for security response.

How to set up advanced SSH security monitoring techniques?

Beyond basic failed login detection, comprehensive SSH security monitoring requires multiple analytical approaches to capture the full spectrum of potential threats. Advanced monitoring techniques include analyzing successful login patterns, monitoring session durations, and tracking unusual connection behaviors that might indicate compromised accounts or insider threats.

Real-time SSH monitoring provides immediate visibility into ongoing attacks, allowing for rapid response to security incidents. The following command establishes a continuous monitoring stream that displays failed authentication attempts as they occur, including timestamps and source information for immediate threat assessment.

# Real-time SSH attack monitoring with detailed information
tail -f /var/log/auth.log | grep "Failed password" | awk '{print $1, $2, $3, $(NF-3), "failed login from", $(NF-5)}'

# Monitor successful SSH connections for anomaly detection
journalctl -u ssh -f | grep "Accepted password" | awk '{print $1, $2, $3, "SUCCESS:", $(NF-3), "user:", $(NF-5)}'

# Track SSH connection duration and patterns
last | head -20 | awk '{if($3 != "reboot") print $1, $3, $4, $5, $6, $7, $8, $9, $10}'

These monitoring techniques enable administrators to establish baseline behaviors for legitimate users while quickly identifying deviations that might indicate security incidents. Regular analysis of SSH access patterns helps distinguish between normal administrative activity and potential security threats.

For ssh tips look here.

How to Monitor System Resources for Security Threats?

System resource monitoring plays a crucial role in Linux server security by detecting anomalous behavior that might indicate security compromises. Unusual CPU usage patterns, unexpected memory consumption, and abnormal disk activity can all signal potential security incidents, from cryptocurrency mining malware to data exfiltration attempts.

Comprehensive resource monitoring involves tracking multiple system metrics simultaneously to identify correlations that might indicate security threats. High CPU usage combined with unusual network activity, for example, might suggest a compromised system being used for distributed denial-of-service attacks or cryptojacking operations.

# Monitor CPU-intensive processes for potential security threats
ps aux --sort=-%cpu | head -20 | awk 'NR==1 {print $0} NR>1 && $3>50 {print "⚠️  HIGH CPU:", $0}'

# Advanced memory usage analysis with security focus
ps aux --sort=-%mem | head -15 | awk 'NR==1 {print $0} NR>1 {printf "PID: %s CPU: %s%% MEM: %s%% USER: %s CMD: %s\n", $2, $3, $4, $1, $11}'

# Detect unusual process behavior patterns
ps aux | awk '$3 > 10 || $4 > 10 {print "Suspicious process:", $2, $1, $3"% CPU", $4"% MEM", $11}'

These monitoring commands provide real-time visibility into system resource utilization while highlighting processes that exhibit potentially malicious behavior. Regular execution of these commands helps establish baseline system behavior and quickly identify deviations that warrant further investigation.

How to Monitor Network Connections for Security?

Network connection monitoring forms a critical component of comprehensive Linux server security, providing visibility into both inbound and outbound traffic patterns that might indicate security incidents. Monitoring network connections helps identify unauthorized access attempts, data exfiltration activities, and command-and-control communications that characterize advanced persistent threats.

For advanced network monitoring capabilities, tools like Wireshark provide deep packet inspection, while ntopng offers real-time network traffic analysis. The OWASP Network Security Testing Guide provides comprehensive methodologies for network security assessment.

Effective network monitoring requires analyzing connection states, port usage patterns, and traffic volume to detect anomalies that might indicate security compromises. Unusual outbound connections, unexpected listening services, and abnormal connection patterns can all signal potential security incidents requiring immediate attention.

# Comprehensive network connection analysis
netstat -tuln | awk '/^tcp/ {split($4,a,":"); ports[a[length(a)]]++} END {for(p in ports) print "Port", p":", ports[p], "connections"}'

# Monitor established connections for anomaly detection
netstat -tupln | awk '/^tcp.*ESTABLISHED/ {print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head -10

# Advanced port scanning detection
ss -tuln | awk '/^tcp/ {split($4,a,":"); if(a[length(a)] > 1024 && a[length(a)] < 65535) print "Custom port:", $4}' | head -10

These network monitoring techniques enable administrators to maintain visibility into network traffic patterns while quickly identifying suspicious activities that might indicate security breaches. Regular network connection analysis helps establish normal traffic baselines and detect deviations that warrant security investigation.

How to Analyze Security Logs and Correlate Events?

Log analysis represents the foundation of effective Linux server security monitoring, providing detailed records of system activities that can reveal security incidents and attack patterns. Comprehensive log analysis involves correlating events across multiple log sources to identify complex attack scenarios that might not be apparent when examining individual log files.

The Elastic Stack (ELK) provides powerful log aggregation and analysis capabilities, while Splunk offers enterprise-grade log management solutions. For open-source alternatives, Graylog and Fluentd provide robust logging infrastructure. The Linux System Administrator’s Guide offers comprehensive coverage of log management best practices.

Effective log analysis requires systematic approaches to parsing, filtering, and correlating log entries across different system components. Security-focused log analysis concentrates on authentication events, privilege escalation attempts, and system modifications that might indicate security compromises or policy violations.

# Comprehensive sudo usage monitoring and analysis
journalctl -n 1000 | grep sudo | awk '{print $1, $2, $3, $5, $6, $7, $8, $9, $10}' | tail -20

# Detect privilege escalation attempts and failures
grep -i "sudo.*fail\|su.*fail" /var/log/auth.log | tail -15 | awk '{print $1, $2, $3, "FAILED:", $5, $6, $7}'

# Monitor system authentication events comprehensively
journalctl _COMM=su -n 100 | grep -v "session opened" | tail -10

These log analysis techniques provide deep visibility into system authentication and authorization activities, enabling administrators to detect unauthorized access attempts and privilege escalation activities that might indicate security incidents.

How to Monitor File System Security and Check Integrity?

File system security monitoring focuses on detecting unauthorized modifications to critical system files, configuration changes, and suspicious file activities that might indicate security compromises. This monitoring approach helps identify tampering attempts, malware installation, and unauthorized system modifications that could compromise server security.

Tools like AIDE (Advanced Intrusion Detection Environment) and Tripwire provide comprehensive file integrity monitoring capabilities. The Linux File System Hierarchy Standard offers detailed guidance on critical system directories that require monitoring. For real-time file monitoring, inotify-tools provides efficient kernel-level file system event monitoring.

Comprehensive file system monitoring involves tracking modifications to critical directories, monitoring file permissions changes, and detecting the presence of suspicious files that might indicate security incidents. Regular file system auditing helps maintain system integrity and quickly identify unauthorized changes.

# Monitor critical system directory modifications
find /etc /usr/bin /usr/sbin -type f -mtime -1 | head -25 | while read file; do ls -la "$file"; done

# Advanced SUID file monitoring for security threats
find / -perm -4000 -type f 2>/dev/null | grep -v "/usr/bin/\|/bin/\|/usr/sbin/" | head -10

# Detect suspicious file modifications and access patterns
find /tmp /var/tmp -type f -mtime -1 | xargs ls -la 2>/dev/null | head -15

These file system monitoring commands provide comprehensive visibility into file system activities while highlighting modifications that might indicate security incidents. Regular file system auditing helps maintain system integrity and detect unauthorized changes that could compromise security.

How to Implement Advanced Network Security Monitoring?

Advanced network security monitoring extends beyond basic connection tracking to include deep packet inspection, traffic analysis, and behavioral monitoring that can detect sophisticated attack patterns. These techniques help identify advanced persistent threats, data exfiltration attempts, and command-and-control communications that characterize modern cyber attacks.

Sophisticated network monitoring involves analyzing traffic patterns, connection behaviors, and protocol usage to detect anomalies that might indicate security incidents. This approach requires combining multiple monitoring techniques to provide comprehensive visibility into network activities while maintaining system performance.

# Advanced port scanning and enumeration detection
netstat -tuln | grep LISTEN | awk '{print $4}' | cut -d: -f2 | sort -n | uniq -c | sort -nr | head -10

# Monitor unusual network service patterns
ss -tuln | awk '/^tcp.*LISTEN/ {split($4,a,":"); if(a[length(a)] > 1024) print "High port service:", $4}' | head -10

# Detect potential network reconnaissance activities
netstat -an | grep SYN_RECV | wc -l | awk '{if($1 > 10) print "Potential port scan detected:", $1, "half-open connections"}'

These advanced network monitoring techniques enable administrators to detect sophisticated attack patterns while maintaining visibility into network activities that might indicate security threats. Regular network analysis helps establish baseline behaviors and identify deviations that warrant security investigation.

How to Monitor Firewall and Access Controls?

Firewall monitoring provides critical visibility into network access attempts, blocked connections, and policy violations that might indicate security incidents. Comprehensive firewall monitoring involves analyzing both allowed and denied connections to identify attack patterns and policy effectiveness.

The iptables documentation provides comprehensive guidance on Linux firewall management, while UFW (Uncomplicated Firewall) offers simplified firewall configuration. For advanced firewall management, pfSense provides enterprise-grade firewall capabilities. The Linux Firewall Tutorial offers detailed technical implementation guidance.

Effective firewall monitoring requires systematic analysis of firewall logs, rule effectiveness assessment, and connection pattern analysis to detect security threats. This monitoring approach helps identify both successful attacks that bypassed firewall rules and unsuccessful attempts that might indicate ongoing attack campaigns.

# Comprehensive iptables rule analysis and monitoring
iptables -L -n --line-numbers | grep DROP | head -15 | awk '{print "Rule", $1":", $2, $3, $4, $5}'

# Monitor recent firewall blocking activities
journalctl -u ufw -n 200 | grep BLOCK | tail -15 | awk '{print $1, $2, $3, "BLOCKED:", $6, $7, $8}'

# Advanced firewall log analysis for threat detection
grep -i "denied\|blocked\|dropped" /var/log/ufw.log | tail -10 | awk '{print $1, $2, $3, $6, $7, $8}'

These firewall monitoring techniques provide comprehensive visibility into access control effectiveness while highlighting potential security threats that might require immediate attention. Regular firewall analysis helps maintain security policy effectiveness and detect attack patterns.

How to implement an automated security monitoring dashboard?

Automated security monitoring dashboards provide centralized visibility into multiple security metrics while reducing the manual effort required for comprehensive security monitoring. These dashboards consolidate information from various sources to provide real-time security status and threat detection capabilities.

Comprehensive security dashboards integrate multiple monitoring techniques to provide holistic security visibility while automating routine security checks. This approach enables continuous monitoring while reducing the administrative overhead associated with manual security analysis.

#!/bin/bash
# Comprehensive Linux Server Security Monitoring Dashboard

echo "======================================="
echo "Linux Server Security Monitoring Dashboard"
echo "Server: $(hostname)"
echo "Generated: $(date)"
echo "======================================="

echo -e "\n SSH Security Analysis:"
echo "Recent Failed Login Attempts:"
journalctl -u ssh -n 1000 | grep "Failed password" | awk '{print $(NF-3)}' | sort | uniq -c | sort -nr | head -5 | awk '{printf "  %s attempts from %s\n", $1, $2}'

echo -e "\n System Resource Security Status:"
CPU_USAGE=$(top -bn1 | grep "Cpu(s)" | sed "s/.*, *\([0-9.]*\)%* id.*/\1/" | awk '{print 100 - $1}')
MEM_USAGE=$(free | grep Mem | awk '{printf "%.1f", $3/$2 * 100.0}')
DISK_USAGE=$(df -h / | awk 'NR==2{print $5}' | sed 's/%//')

echo "  CPU Usage: ${CPU_USAGE}%"
echo "  Memory Usage: ${MEM_USAGE}%"
echo "  Disk Usage: ${DISK_USAGE}%"

if (( $(echo "$CPU_USAGE > 80" | bc -l) )); then
    echo "    HIGH CPU USAGE DETECTED"
fi

if (( $(echo "$MEM_USAGE > 85" | bc -l) )); then
    echo "    HIGH MEMORY USAGE DETECTED"
fi

echo -e "\n Network Security Status:"
echo "Active Listening Ports:"
netstat -tuln | awk '/^tcp.*LISTEN/ {print $4}' | cut -d: -f2 | sort -n | uniq -c | sort -nr | head -5 | awk '{printf "  Port %s: %s connections\n", $2, $1}'

echo -e "\n Recent Security Events:"
journalctl -n 200 | grep -i "fail\|error\|denied\|blocked" | tail -5 | awk '{print "  " $1, $2, $3, $5, $6, $7, $8}'

echo -e "\n Process Security Analysis:"
echo "Top CPU-consuming processes:"
ps aux --sort=-%cpu | head -6 | awk 'NR==1 {print "  " $0} NR>1 {printf "  %-10s %5s%% %5s%% %s\n", $1, $3, $4, $11}'

echo -e "\n  Security Recommendations:"
FAILED_LOGINS=$(journalctl -u ssh -n 1000 | grep "Failed password" | wc -l)
if [ "$FAILED_LOGINS" -gt 50 ]; then
    echo "   High number of failed SSH attempts detected ($FAILED_LOGINS)"
    echo "  Consider implementing fail2ban or rate limiting"
fi

if [ "$DISK_USAGE" -gt 90 ]; then
    echo "   Disk space critically low"
    echo "  Investigate potential disk-based attacks"
fi

echo -e "\n======================================="
echo "Security monitoring completed at $(date)"
echo "======================================="

This comprehensive dashboard provides automated security monitoring with real-time threat detection capabilities while maintaining system performance and usability.

How to implement best practices for enterprise security monitoring?

Enterprise-level Linux server security monitoring requires sophisticated approaches that scale across multiple systems while maintaining centralized visibility and control. These best practices encompass automated alerting, centralized logging, and comprehensive incident response procedures that enable organizations to effectively manage security threats.

The ISO 27001 Standard provides comprehensive guidelines for information security management systems, while NIST SP 800-53 offers detailed security controls for federal information systems. For enterprise monitoring solutions, Nagios and Zabbix provide comprehensive infrastructure monitoring capabilities. The SANS Institute’s Security Monitoring Guide offers practical guidance for implementing enterprise security monitoring programs.

Successful enterprise security monitoring implementations combine multiple monitoring techniques with automated response capabilities to provide comprehensive threat detection and response. This approach requires careful planning, tool selection, and process development to ensure effective security monitoring across complex environments.

# Enterprise-grade automated security alerting system
cat > /usr/local/bin/security_alert.sh << 'EOF'
#!/bin/bash
ALERT_EMAIL="security@company.com"
HOSTNAME=$(hostname)
THRESHOLD_FAILED_LOGINS=100
THRESHOLD_CPU=85
THRESHOLD_MEM=90

# Check for SSH attacks
FAILED_LOGINS=$(journalctl -u ssh -n 1000 | grep "Failed password" | wc -l)
if [ "$FAILED_LOGINS" -gt "$THRESHOLD_FAILED_LOGINS" ]; then
    echo "SECURITY ALERT: $FAILED_LOGINS failed SSH attempts on $HOSTNAME" | mail -s "SSH Attack Alert - $HOSTNAME" $ALERT_EMAIL
fi

# Monitor system resources for anomalies
CPU_USAGE=$(top -bn1 | grep "Cpu(s)" | sed "s/.*, *\([0-9.]*\)%* id.*/\1/" | awk '{print 100 - $1}')
if (( $(echo "$CPU_USAGE > $THRESHOLD_CPU" | bc -l) )); then
    echo "SECURITY ALERT: High CPU usage ($CPU_USAGE%) on $HOSTNAME - potential crypto mining" | mail -s "Resource Alert - $HOSTNAME" $ALERT_EMAIL
fi

# Check for unusual processes
ps aux | awk '$3 > 50 {print $2, $1, $3, $4, $11}' | while read line; do
    echo "SECURITY ALERT: Suspicious high-CPU process on $HOSTNAME: $line" | mail -s "Process Alert - $HOSTNAME" $ALERT_EMAIL
done
EOF

chmod +x /usr/local/bin/security_alert.sh

# Add to crontab for regular monitoring
echo "*/15 * * * * /usr/local/bin/security_alert.sh" | crontab -

This enterprise-grade monitoring solution provides automated threat detection with immediate alerting capabilities while maintaining scalability across multiple systems.

How to implement intrusion detection and advanced threat analysis?

Advanced intrusion detection involves sophisticated analysis techniques that can identify complex attack patterns and advanced persistent threats that might evade traditional security monitoring. These techniques require deep understanding of system behaviors and attack methodologies to effectively detect sophisticated threats.

The MITRE ATT&CK Framework provides comprehensive mapping of adversary tactics and techniques, while Suricata offers advanced intrusion detection capabilities. For behavioral analysis, OSSEC provides host-based intrusion detection, and Snort offers network-based intrusion detection. The Center for Internet Security (CIS) Controls provides actionable guidelines for implementing effective intrusion detection systems.

Comprehensive intrusion detection combines behavioral analysis, signature detection, and anomaly detection to provide multi-layered threat identification capabilities. This approach enables detection of both known attack patterns and novel threats that might not match established signatures.

# Advanced rootkit and malware detection techniques
echo "=== Advanced Intrusion Detection Analysis ==="

# Check for suspicious kernel modules
lsmod | awk 'NR>1 {print $1, $2, $3}' | while read name size used; do
    if [ "$size" -lt 1000 ] && [ "$used" -eq 0 ]; then
        echo "Suspicious kernel module: $name (size: $size, used: $used)"
    fi
done

# Detect hidden processes and rootkit signatures
ps aux | awk '{print $2}' | sort -n > /tmp/ps_pids
ls /proc | grep '^[0-9]*$' | sort -n > /tmp/proc_pids
diff /tmp/ps_pids /tmp/proc_pids | grep '>' | awk '{print "Hidden process detected: PID " $2}'

# Monitor for unusual system calls and behaviors
netstat -tulpn | grep LISTEN | awk '{print $4, $7}' | while read port process; do
    if [[ "$port" =~ :[0-9]{4,5}$ ]] && [[ "$process" != *"/usr/"* ]] && [[ "$process" != *"/bin/"* ]]; then
        echo "Suspicious listening process: $process on $port"
    fi
done

# Advanced file system integrity monitoring
find /usr/bin /usr/sbin /bin /sbin -type f -executable | while read file; do
    if [ -w "$file" ]; then
        echo "World-writable executable detected: $file"
    fi
done

# Detect unusual network connections and behaviors
netstat -an | grep ESTABLISHED | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head -5 | while read count ip; do
    if [ "$count" -gt 20 ]; then
        echo "High connection count to $ip: $count connections"
    fi
done

rm -f /tmp/ps_pids /tmp/proc_pids

These advanced intrusion detection techniques provide comprehensive threat analysis capabilities while maintaining system performance and reliability.

How to perform security event correlation and analysis?

Security event correlation involves analyzing multiple data sources simultaneously to identify complex attack patterns that might not be apparent when examining individual security events. This approach enables detection of sophisticated attacks that span multiple systems and timeframes.

Effective security event correlation requires systematic approaches to log aggregation, event timeline analysis, and pattern recognition that can identify coordinated attacks and advanced persistent threats. This capability is essential for detecting sophisticated adversaries who employ multiple attack vectors simultaneously.

# Comprehensive security event correlation system
cat > /usr/local/bin/security_correlator.sh << 'EOF'
#!/bin/bash

WORK_DIR="/tmp/security_correlation"
mkdir -p "$WORK_DIR"

echo "=== Security Event Correlation Analysis ==="
echo "Analysis started: $(date)"

# Collect authentication events
journalctl -u ssh -n 2000 | grep -E "(Failed password|Accepted password)" > "$WORK_DIR/auth_events.log"

# Collect system events
journalctl -n 2000 | grep -E "(sudo|su|LOGIN|LOGOUT)" > "$WORK_DIR/system_events.log"

# Collect network events
netstat -tuln | grep -E "(ESTABLISHED|LISTEN)" > "$WORK_DIR/network_events.log"

# Analyze correlation patterns
echo -e "\n--- Authentication vs System Events Correlation ---"
grep "Failed password" "$WORK_DIR/auth_events.log" | awk '{print $3, $(NF-3)}' | sort | uniq -c | sort -nr | head -5 | while read count time ip; do
    echo "IP $ip had $count failed attempts around $time"
    grep "$time" "$WORK_DIR/system_events.log" | grep -i "sudo\|su" | head -3
done

# Timeline analysis
echo -e "\n--- Security Event Timeline ---"
(grep "Failed password" "$WORK_DIR/auth_events.log" | awk '{print $1, $2, $3, "AUTH_FAIL", $(NF-3)}';
 grep "sudo" "$WORK_DIR/system_events.log" | awk '{print $1, $2, $3, "SUDO", $5}') | sort -k1,3 | tail -10

# Network correlation
echo -e "\n--- Network Security Correlation ---"
grep "ESTABLISHED" "$WORK_DIR/network_events.log" | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head -5 | while read count ip; do
    if [ "$count" -gt 10 ]; then
        echo "High activity IP: $ip ($count connections)"
        grep "$ip" "$WORK_DIR/auth_events.log" | head -2
    fi
done

# Cleanup
rm -rf "$WORK_DIR"
echo -e "\nAnalysis completed: $(date)"
EOF

chmod +x /usr/local/bin/security_correlator.sh

This security event correlation system provides comprehensive analysis capabilities for detecting complex attack patterns and coordinated threats.

How to implement continuous monitoring and alerting systems?

Continuous monitoring systems provide real-time security visibility while automating routine security checks and alerting processes. These systems enable organizations to maintain constant security awareness while reducing the manual effort required for comprehensive security monitoring.

The NIST Continuous Monitoring Guide provides comprehensive guidance for implementing continuous monitoring programs, while Prometheus and Grafana offer powerful monitoring and visualization capabilities. For security-specific continuous monitoring, OSSIM provides unified security management, and Security Onion offers comprehensive network security monitoring. The Linux Foundation’s Security Best Practices provide essential guidance for secure system administration.

Effective continuous monitoring combines automated data collection, real-time analysis, and intelligent alerting to provide comprehensive security coverage. This approach ensures that security incidents are detected and responded to promptly while minimizing false positive alerts that can overwhelm security teams.

# Comprehensive continuous monitoring daemon
cat > /usr/local/bin/security_monitor_daemon.sh << 'EOF'
#!/bin/bash

LOGFILE="/var/log/security_monitor.log"
ALERT_EMAIL="security@company.com"
MONITORING_INTERVAL=60  # seconds
HOSTNAME=$(hostname)

# Initialize monitoring
echo "Security monitoring daemon started at $(date)" >> "$LOGFILE"

# Main monitoring loop
while true; do
    TIMESTAMP=$(date)
    
    # SSH monitoring
    FAILED_SSH=$(journalctl -u ssh --since "1 minute ago" | grep "Failed password" | wc -l)
    if [ "$FAILED_SSH" -gt 5 ]; then
        echo "$TIMESTAMP: SSH attack detected - $FAILED_SSH failed attempts" >> "$LOGFILE"
        echo "SSH Attack Alert: $FAILED_SSH failed attempts in last minute on $HOSTNAME" | mail -s "SSH Attack - $HOSTNAME" $ALERT_EMAIL
    fi
    
    # Resource monitoring
    CPU_USAGE=$(top -bn1 | grep "Cpu(s)" | sed "s/.*, *\([0-9.]*\)%* id.*/\1/" | awk '{print 100 - $1}')
    if (( $(echo "$CPU_USAGE > 90" | bc -l) )); then
        echo "$TIMESTAMP: High CPU usage detected - $CPU_USAGE%" >> "$LOGFILE"
    fi
    
    # Network monitoring
    ESTABLISHED_CONN=$(netstat -an | grep ESTABLISHED | wc -l)
    if [ "$ESTABLISHED_CONN" -gt 200 ]; then
        echo "$TIMESTAMP: High network activity - $ESTABLISHED_CONN connections" >> "$LOGFILE"
    fi
    
    # Process monitoring
    SUSPICIOUS_PROC=$(ps aux | awk '$3 > 80 {print $2, $11}' | wc -l)
    if [ "$SUSPICIOUS_PROC" -gt 0 ]; then
        echo "$TIMESTAMP: Suspicious high-CPU processes detected" >> "$LOGFILE"
        ps aux | awk '$3 > 80 {print $2, $11}' >> "$LOGFILE"
    fi
    
    # File system monitoring
    DISK_USAGE=$(df -h / | awk 'NR==2{print $5}' | sed 's/%//')
    if [ "$DISK_USAGE" -gt 95 ]; then
        echo "$TIMESTAMP: Critical disk usage - $DISK_USAGE%" >> "$LOGFILE"
        echo "Disk Space Alert: $DISK_USAGE% usage on $HOSTNAME" | mail -s "Disk Alert - $HOSTNAME" $ALERT_EMAIL
    fi
    
    sleep "$MONITORING_INTERVAL"
done
EOF

chmod +x /usr/local/bin/security_monitor_daemon.sh

# Create systemd service for continuous monitoring
cat > /etc/systemd/system/security-monitor.service << 'EOF'
[Unit]
Description=Security Monitor Daemon
After=network.target

[Service]
Type=simple
User=root
ExecStart=/usr/local/bin/security_monitor_daemon.sh
Restart=always
RestartSec=10

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable security-monitor.service
systemctl start security-monitor.service

This continuous monitoring system provides comprehensive real-time security coverage with automated alerting capabilities.

How to implement security monitoring best practices?

Effective Linux server security monitoring requires a comprehensive, multi-layered approach that combines automated tools, manual analysis, and continuous improvement processes. The techniques and commands outlined in this guide provide a solid foundation for implementing robust security monitoring across diverse Linux environments.

Successful security monitoring implementations require ongoing attention, regular updates, and continuous refinement based on emerging threats and changing infrastructure requirements. Organizations must balance security monitoring thoroughness with system performance and operational efficiency to maintain effective security posture.

Key Security Monitoring Principles:

• Implement multiple monitoring layers for comprehensive coverage
• Automate routine security checks while maintaining manual oversight capabilities
• Establish baseline behaviors to improve anomaly detection accuracy
• Integrate security monitoring with incident response procedures
• Regularly update monitoring techniques based on emerging threats
• Maintain centralized logging and analysis capabilities for enterprise environments
• Balance security monitoring thoroughness with system performance requirements

Essential Security Monitoring Components:

• SSH attack detection and brute force monitoring
• System resource analysis for anomaly detection
• Network connection monitoring and traffic analysis
• Log correlation and security event analysis
• File system integrity monitoring and change detection
• Automated alerting and incident response integration
• Continuous monitoring and real-time threat detection

Implementation Recommendations:

• Start with basic monitoring commands and gradually implement advanced techniques
• Customize monitoring thresholds based on your specific environment and requirements
• Integrate monitoring tools with existing security infrastructure and procedures
• Train administrative staff on security monitoring techniques and incident response
• Regularly review and update monitoring configurations based on threat intelligence
• Document monitoring procedures and maintain incident response playbooks
• Test monitoring systems regularly to ensure continued effectiveness

Remember that security monitoring is an ongoing process requiring continuous attention and improvement. The threat landscape evolves constantly, and your monitoring capabilities must evolve accordingly to maintain effective protection for your Linux server infrastructure.

Additional Resources:

• Red Hat Security Guide – Comprehensive Linux security hardening documentation
• Ubuntu Security Documentation – Security best practices for Ubuntu systems
• CVE Details – Comprehensive vulnerability database
• Linux Security Blog – Latest security news and updates
• OWASP Top 10 – Most critical web application security risks