Server Monitoring

Server monitoring, as it sounds, is the implementation of a system that keeps vigilance over the health and status of a server. The more mission critical a server's function is, the more important monitoring becomes. As technology becomes more and more reliable, servers are often left alone to do their job. However, it is still important to always be alert to their status.

Before discussing the various techniques available to monitor a server, let's first address the reasons you might want to use monitoring.

  • Intrusion - Intrusion is a big reason for monitoring a server. More often than not, servers are compromised without anyone knowing. By monitoring for intrusion, an administrator is made aware that someone is trying to compromise server security, and s/he may then take steps to prevent it in the future or maybe even find out who is intruding.
  • Hardware Failure - Monitoring hardware status is just as critical, if not more, than checking for intrusion. If a server is configured well, then it is fault tolerant against drive, controller, NIC, and motherboard failure. This means that if one of those components fails, the server stays up and running. However, an administrator needs to know as soon as possible that hardware has failed, so that the component can be replaced. If there is little or no fault tolerance, monitoring becomes even more important, as the server may stop functioning altogether until a failed component is replaced.
  • Application Failure - Similar to hardware failure, it is important to know that mission critical applications are running and running correctly.
  • Other Security Considerations - There are many other security features that an administrator may need to monitor. Some possible examples are: password strength, NetBIOS shares, unwanted services, file sharing programs like Napster, etc.

Now that we know why monitoring is important, we will discuss some different methods of monitoring.

SNMP

SNMP is probably one of the most popular monitoring methods. It is actually a protocol that allows a program to either retrieve or receive information from a network node. (SNMP can also be used for configuration purposes, but that is outside the scope of this document.) SNMP utilizes a process called "traps." A device may have information it can share, such as device functionality and status, intrusion attempts, reboots, etc. This information is defined in a file called a MIB (management information base). It can send an SNMP trap with this information to a server. Once the server receives the information, anything can be done with it, such as alerting an administrator by way of a pager or simply saving it to a log file. SNMP traps can be sent using "get" commands or "send" commands. With a "get" command, an SNMP server application may periodically poll the status of SNMP devices. If any of the devices respond with a status that an administrator should know about, the server can take the appropriate action. SNMP is mainly used for monitoring the status of hardware; however, it is possible to also use it to monitor the status of applications.

Intrusion Detection

Intrusion detection is simply what it sounds like: a way of detecting attempts or successful attempts at gaining unauthorized access to a server. There are many ways to monitor intrusion attempts.

  • SNMP - One intrusion detection method is SNMP, as described above. SNMP may detect anything from a physical event, like a drive being removed or a server reboot, to an attempt to save a configuration file.
  • Third Party Software - There are also many specialized third party software programs that perform various kinds of intrusion detection functions. Because there are so many products for different types of servers and devices, it is out of the scope of this document to discuss them all. However, some can apply to email servers and web servers as well as to popular operating systems such as Windows or Linux.
  • Devices - Another intrusion detection method is to use a hardware device (black box) as opposed to software. Devices that perform intrusion detection most commonly sit in front of a web server, a mail server or even a firewall. The most well known device is Cisco IDS (formerly NetRanger). It monitors TCP/IP activity and looks for any malicious activity or unauthorized access attempts. Upon detection, it can be programmed to block any further traffic from the suspected source. Alerts to intrusion attempts can then be sent out using SNMP.
  • Firewalls - Some firewalls have intrusion detection functionality. They can detect unauthorized access attempts as well as malicious activity, like NetRanger described above. See Firewalls for more information on network firewalls.

Logging

Logging is a simple feature that should always be utilized when monitoring. Most applications, operating systems, and devices have some form of logging feature. Depending on the program or device that does the logging, an administrator can configure a system to alert him/her when certain logging events occur. Microsoft Windows  products have various logging features. System and application logging are enabled by default. However, there is a security-logging feature that needs to be turned on manually. It logs successful and unsuccessful logon activity. It also logs activity from other applications that are created to record information here, such as SQL and Exchange server as well as third party programs. Some third party monitoring programs may utilize this native logging feature to complement their application.

Next: Vendor Patches & Updates