# How do I securely perform remote server monitoring?

## audiodef

I set up a server so that gkrellmd can only be accessed through ssh. I want to turn the necessary lines into a script, like so:

```

#!/bin/bash

ssh -N -f -L 19150:127.0.0.1:19150 (user)@(ip_address) 

gkrellm -s 127.0.0.1 -P 19150 &

```

The problem is ssh can't get a password from me this way. How do I write this with the password included?

----------

## khayyam

audiodef ...

if you want passwordless logins then use a (passwordless) key.

best ... khay

----------

## audiodef

I don't want to compromise whatever security measures I've set up on my server, so I guess a better question is: What is the best way to perform remote server monitoring in a secure way?

----------

## Syl20

What do you want to monitor ? Do you want to monitor your system through internet ?

On a LAN, and if you have a little time to setup a server, Nagios (with NRPE), for example, is certainly more appropriate than a set of home-made patches around a localhost-focused tool.

----------

## khayyam

 *audiodef wrote:*   

> I don't want to compromise whatever security measures I've set up on my server

 

audiodef ... in what way would the use of a key compromise security? 

 *audiodef wrote:*   

> [...] so I guess a better question is: What is the best way to perform remote server monitoring in a secure way?

 

As CneGroumF points out that depends on your needs, nagios/icinga offers many plugins (ie, fail2ban, mysql, openvpn) and a web interface, and is the oft used solution for such things.

best ... khay

----------

## audiodef

I want to monitor general server stuff for now: uptime, cpu load, mem, processes - the stuff you get through gkrellm. It's not on a LAN - it's a remote hosted server.

----------

## audiodef

 *khayyam wrote:*   

>  *audiodef wrote:*   I don't want to compromise whatever security measures I've set up on my server 
> 
> audiodef ... in what way would the use of a key compromise security? 
> 
> 

 

What I mean is I don't want to NOT use a key.   :Wink: 

----------

## khayyam

 *audiodef wrote:*   

> I want to monitor general server stuff for now: uptime, cpu load, mem, processes - the stuff you get through gkrellm. It's not on a LAN - it's a remote hosted server.

 

audiodef ... personally I wouldn't want to be bothered with such stuff, only be alerted as and when something occurs which needs my attention. However, for your initial problem all you need do is setup a key and have the key added to ssh-agent on login (via sys-auth/pam_ssh or net-misc/keychain) ... your script should then function without the need of a passphrase (because a key exchange would be used for authentication). 

best ... khay

----------

## krinn

i'm with khayyam there, first key isn't less secure than a password, i wouldn't claim it's even more secure but that's still what i think.

if you really don't want use password or keys, then use a solution that use none: you could build a file with infos you want from the server and upload it to your computer thru ftp (using an annon access with a fake email as password), this way, you'll get what you want without sharing any key or real password.

you might just send the file by email if you prefer.

----------

## audiodef

Found a simple way to do what I wanted: emerge tilda, set it to fill up 100% of my screen in the background, no taskbar or pager, just ssh in normally and leave htop running.

----------

## khayyam

 *audiodef wrote:*   

> Found a simple way to do what I wanted: emerge tilda, set it to fill up 100% of my screen in the background, no taskbar or pager, just ssh in normally and leave htop running.

 

audiodef ... or you could pass the command to run:

```
$ ssh user@host htop
```

best ... khay

----------

## dalu

what would I want to monitor indeed..

when I wanted to write my own

net

/sys/class/net/<ifname>/statistics/

or

/proc/net/dev

cpu

/proc/stat

disk

/proc/diskstats

memory

/proc/meminfo

what else could be monitored?

----------

## audiodef

 *khayyam wrote:*   

>  *audiodef wrote:*   Found a simple way to do what I wanted: emerge tilda, set it to fill up 100% of my screen in the background, no taskbar or pager, just ssh in normally and leave htop running. 
> 
> audiodef ... or you could pass the command to run:
> 
> ```
> ...

 

I actually tried that but got an error about unknown terminal.

----------

## audiodef

 *dalu wrote:*   

> what would I want to monitor indeed..
> 
> when I wanted to write my own
> 
> net
> ...

 

I learned a little more since my OP. You can monitor all kinds of things in all kinds of detail. I found a couple of other useful top utils: apachetop and mytop. There are top programs for various types of network monitoring and packet sniffing, etc. atop is another useful general info top program that shows more detail in an organized way than top.

----------

## khayyam

 *audiodef wrote:*   

> 
> 
> ```
> $ ssh user@host htop
> ```
> ...

 

I actually tried that but got an error about unknown terminal.[/quote]

audiodef ... hmmm, so what is $TERM reporting?

```
$ echo $TERM
```

best ... khay

----------

## audiodef

Hm, echo $TERM shows xterm at both ends.

----------

## enZom

You could look into using a 2048 bit or higher key.

@monitoring 

I often run multiple windows of lnav looking at different log files.

For split windows Tmux or if you're @ a desktop terminator works.

The watch command can be helpful too.

```
watch grep \"cpu MHz\" /proc/cpuinfo
```

```
watch cat /proc/net/ip_conntrack

#Or if you have the rest of the conntrack goodies installed.

conntrack -E
```

```
watch netstat -atnu
```

Also a fan of jnettop

```
jnettop -i eth0
```

----------

## ShaneCar

Nagios (NRPE) would save you some time setting up the setting up the server. If uptime, cpu load, mem, and processes is what you care about, then that seems like the best option. BigPanda, while not open source, is also an interesting tool. It plugs right into Nagios- https://bigpanda.io/integrations/nagios-the-alternative-to-a-flood-of-alerts- and will sift through all the noise for you, so all you're looking at is high level data thats meaningful. Either way, I think NRPE will save you time and headache.

----------

## audiodef

I came across Nagios earlier, and wondered if it would be overkill for one server.

----------

## Ant P.

 *khayyam wrote:*   

>  *audiodef wrote:*   
> 
> ```
> $ ssh user@host htop
> ```
> ...

 

You need to write it as ssh -t htop, otherwise the default when a command is passed to ssh is to run it with only dumb pipes for stdin/out.

----------

## audiodef

 *Ant P. wrote:*   

>  *khayyam wrote:*    *audiodef wrote:*   
> 
> ```
> $ ssh user@host htop
> ```
> ...

 

Thanks!   :Smile: 

----------

