Monitoring scripts ffor process/CPU/Memory and implement SSH Hrdning (config + detection of bad logins)
- Monitor system resources (CPU, memory, critical processes)
- Send alerts when thresholds are exceeded
- Harden SSH security and detect brute-force login attempts via Fail2Ban
- Maintain logs and generate simple dashboards for quick visibility
This project is designed for DevOps engineers, system administrators, or anyone who wants to manage servers securely and monitor resources efficiently.
The project was fully tested and deployed on an AWS EC2 Ubuntu instance, demonstrating its functionality in a cloud environment. All monitoring scripts, systemd timers, SSH hardening configurations, and Fail2Ban jails were validated on EC2, making it cloud-ready and production-appropriate.
monitor-ssh-toolkit/
├── hardening
│ ├── jail.local # Fail2Ban configuration for SSH
│ └── sshd_config.snippet # SSH hardening configuration snippet
├── monitoring
│ ├── check_resources.sh # Logs CPU, memory, and top processes
│ ├── mem_alert.sh # Alerts if memory is below threshold
│ ├── proc_watch.sh # Monitors critical processes and restarts if needed
│ ├── ssh_bruteforce_report.sh # Generates SSH brute-force report
│ └── README_MONITORING.md # Instructions for using monitoring scripts
├── systemd
│ ├── healthcheck.service # Systemd service to run health checks
│ └── healthcheck.timer # Timer to run service periodically
├── README.md
- Clone the repository
- CPU, memory, and process monitoring via Bash scripts
- Critical process restart using systemctl
- Memory alerts written to a log and optionally sent to webhooks
- Brute-force login detection and reporting
- Scripts are designed to run locally and can be scheduled using systemd timers
- Disables root login: PermitRootLogin no
- Enforces key-based authentication: PasswordAuthentication no
- Limits authentication attempts: MaxAuthTries 3
- Disables X11 forwarding, TCP forwarding, and gateway ports
- Configures Fail2Ban for SSH brute-force prevention
Note: Ensure you have your public SSH key installed before disabling password authentication to avoid being locked out.
- healthcheck.service runs check_resources.sh once when triggered
- healthcheck.timer runs healthcheck.service every 10 minutes (customizable)
- Logs saved under /var/log/health/ for audit and monitoring
git clone <repo_url>
cd monitor-ssh-toolkitsudo cp hardening/sshd_config.snippet /etc/ssh/sshd_config.d/90-monitor-ssh.confssh -p <custom_port> user@serversudo systemctl restart sshsudo cp hardening/jail.local /etc/fail2ban/jail.local
sudo systemctl restart fail2ban
sudo fail2ban-client status sshdsudo cp monitoring/*.sh /usr/local/bin/
sudo chmod +x /usr/local/bin/*.shsudo cp systemd/healthcheck.service /etc/systemd/system/
sudo cp systemd/healthcheck.timer /etc/systemd/system/
sudo systemctl daemon-reload
sudo systemctl enable --now healthcheck.timer- Run Scripts Manually:
sudo /usr/local/bin/check_resources.sh sudo /usr/local/bin/mem_alert.sh sudo /usr/local/bin/proc_watch.sh sudo /usr/local/bin/ssh_bruteforce_report.sh
- View logs:
ls /var/log/health/ cat /var/log/health/<latest-log>.log
- Check Fail2Ban status:
sudo fail2ban-client status sshd
Here are some screenshots from the deployed environment on an AWS EC2 instance, demonstrating the toolkit's functionality.
This shows a successful SSH connection to the AWS EC2 instance running Ubuntu 24.04 LTS, which serves as the testing and deployment environment for this toolkit.
This displays the health check logs generated by the monitoring scripts in the /var/log/health/ directory. Each file is timestamped, providing a clear audit trail of system status over time.
This displays the health check logs generated by the monitoring scripts in the /var/log/health/ directory. Each file is timestamped, providing a clear audit trail of system status over time.
This is a sample of a complete health check report generated by check_resources.sh. It contains a snapshot of key system metrics, including memory usage, disk space, and the top running processes.
This output confirms that Fail2Ban is actively monitoring SSHd. The sshd jail is enabled and tracking failed login attempts, ready to ban any malicious IP addresses that violate the configured rules.
