A client, a doctor none the less, still has a running XP in the praxis and at home. It is highly specialized for 24h EKG monitoring - and also VERY expensive. The Software - actually just for the driver for win7 - would have cost 20’000.-, for four patients and four years operation?
He has one more year to pension, so we had a VM running a well protected XP for the time of Win7 and now, with Win10…
That praxis also had among the most exotic stuff i ever connected to the network - and monitored in Zabbix!
Like 2 Philips Ultraschall, another Ultraschall from another company, a Horriba and UriSys, both serially connected to a Network Port which is in turn monitored. The Horriba and UriSys both deal with urine monitoring…
All three ultraschall have some form of XP (embedded?)…
Klick add, drag and drop to the “right” position, choose the host and symbol…
These are LIVE plans, each host can signal issues, updates and such.
You can also set the icon according to state…
Like the nuclear cloud when an important server goes “poof”…
At some clients i also add “boxes” or “areas” to symbolize rooms, or buildings (a form of grouping…)
Zabbix is really well templatable, and that can save a lot of time. Like I made my own template for raspberry monitoring & NUT, with a nice host screen all rolled into one.
Do you know, where the noise in nethserver comes? I mean on my gentoo box and also on hosted proxmox server, it is quiet where in nethserver log, even now that I disabled password login and only password secured certificate based login is allowed there are still all those attempts logged like:
Feb 21 23:37:11 hostname sshd[14242]: Invalid user zabbix from 139.99.89.53 port 50182
Feb 21 23:37:11 hostname sshd[14242]: input_userauth_request: invalid user zabbix [preauth]
Feb 21 23:37:11 hostname sshd[14242]: Received disconnect from 139.99.89.53 port 50182:11: Bye Bye [preauth]
Feb 21 23:37:11 hostname sshd[14242]: Disconnected from 139.99.89.53 port 50182 [preauth]
Feb 21 23:37:13 hostname sshd[14250]: Invalid user dev from 190.1.203.180 port 52452
Feb 21 23:37:13 hostname sshd[14250]: input_userauth_request: invalid user dev [preauth]
Feb 21 23:37:13 hostname sshd[14250]: Received disconnect from 190.1.203.180 port 52452:11: Bye Bye [preauth]
Feb 21 23:37:13 hostname sshd[14250]: Disconnected from 190.1.203.180 port 52452 [preauth]
Feb 21 23:37:20 hostname evebox: 2020-02-21 23:37:20 (evefileprocessor.go:176) – Total: 125; last minute: 1; EOFs: 60
Feb 21 23:37:24 hostname sshd[14286]: Received disconnect from 138.68.237.12 port 45846:11: Bye Bye [preauth]
Is nethserver just configured to log more verbosely than a standard debian or gentoo would probably do? I was under the impression, that disabling password login it would stop those attempts on those random ports that are closed anyway… Nevermind, this (restrict ssh to cert.based access) was my last task for the next days/weeks. I have to take a break
Well it depends. My gentoo box is mail-, web and nextcloud server among some other services, and although you see some attempts trying to guess password accounts for mail, which I take care of with fail2ban, there are no log entries about ssh attempts. The same goes with proxmox srv which I admit only non standard ssh port is open. But still - no ssh attempts logged whatsovever whereas the spaming in nethserver log as copy/pasted above is bit much. Nevermind. Maybe thats normal nowadays, even the ssh port is changed to a non standard port here on nethserver too. Nope, random stuff, not my ips…
Maybe I’ll post a new thread asking @devs if it is normal behaviour that /var/logmessages is so noisy on ssh attempts to closed ports.
A “standard” Debian or Gentoo simply doesn’t have ANY services available. Where there’s nothing, there’s also nothing to log.
Hook up your Gentoo with sshd on the standard port 22 to your internet, you’ll soon see log entries…
And I think your NethServer does have a LOT more services available than just SSH…
yep, just wanted to add that enabling fail2ban made noise disappear immediately. Surprisingly enough, there were just 11 ips banned for now, that were generating all this entries, and now its quiet and /var/log/messages is readable again
Changing ports from standard 22 to 2222 is already a BIG help, fail2ban silences those with Portscanners…
Windows the same thing - change RDP to say 3391-3399, that’s already a BIG help.
That’s a small registry work to do it locallly (I have the standard port and the other port available locally, externally only the other port is available. More secure boxes are only reachable via VPN.
OPNsense can easily do PAT (Like NAT, but dealing with Ports).
Something like accept 3391 from internet, forward to 3389 (the standard RDP port) on box XXX…
This saves the trouble of doing it in the windows registry…
My personal standard working set:
mc, nano, htop, screen, fail2ban
Monitoring:
snmp, zabbix agent
I like having these tools on all my Un*x based boxes, no matter if server or workstation.
It’s like my swiss army knife…