Using Postfix and OSSEC to Monitor Your VPS or Production *NIX Systems
07 Nov 2015
Reading time ~9 minutes
A few months ago I was experimenting with receiving custom alerts from my internet facing *NIX boxes. Some of the things I wanted to monitor in real-time (or close enough to) were successful SSH login attempts, sudo/privilege escalation alerts and new file creations. I wrote a few shell scripts that handled this for me and it ended up working pretty well.
Last week I started looking tools that handle monitoring and alerting and stumbled upon OSSEC. OSSEC encompasses everything I was looking to receive alerts for and more. For those of you who aren’t familiar with OSSEC, it’s an “Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.”
After playing around with OSSEC for a few days now I’ve come to a pretty solid conclusion that it’s going to be a regular tool that will be featuring in my *NIX builds from now on.
I decided to put together this guide to help out people who want a little more insight into what is happening on their VPS or production *NIX systems.
For this guide in particular you’re going to need:
- A VPS running Ubuntu
- DNS configured to point to the public IP address of the VPS.
- A mail account with Google or a similar provider.
Throughout this guide I’ll refer to the VPS as
sub.domain.com and the mail account as
1. Installing and Configuring Postfix as a Send-Only SMTP Server
Postfix is going to handle all of the SMTP relaying for us, you don’t need to open any TCP or UDP ingress ports.
First, make sure that the hostname of your VPS is configured correctly.
Next, update the box and install mailutils
As the mailtutils installation progresses, you will reach a point where you will need to specify the Postfix configuration type. Select
You should then be prompted by the Postfix configuration agent to enter the mail name for the system.
Next, you’ll need to edit the main configuration file for postfix to ensure that the internet interface is set as the localhost. This should be the second last line of the file: