Security Monitoring Script Pangolin

22/01/2025 22/01/2025 security 4 mins read
Table Of Contents

Security Monitoring Script #

A security monitoring solution that tracks network traffic, system health, and security events on Linux systems, with automated reporting to Discord. This script is designed to help system administrators maintain awareness of their system’s security status and network activity, particularly for servers running services like Pangolin, Gerbil, and other web services.

Features

The script provides continuous monitoring of several critical system aspects:

Network Traffic Monitoring

  • HTTPS traffic (Port 443)
  • HTTP traffic (Port 80)
  • WireGuard traffic (Port 51820)
  • Active connection tracking
  • Detailed connection state information

System Security Monitoring

  • Failed SSH login attempts
  • System load statistics
  • Memory usage tracking
  • Disk space utilization
  • Active connection counts

Reporting Capabilities

  • Real-time Discord notifications
  • Local log file generation
  • Automatic message chunking for Discord’s limits
  • Rate-limited API calls to prevent throttling
  • Error logging and handling

Prerequisites

The script requires the following components to be installed on your system:

  • bash wrap shell (version 4.0 or higher)
  • ss command (usually part of iproute2 package)
  • curl for Discord API communication
  • grep for log analysis
  • Standard Unix utilities (date, awk, etc.)

To install missing prerequisites on Debian/Ubuntu systems:

Terminal window
sudo apt update
sudo apt install iproute2 curl grep coreutils

For Red Hat/CentOS systems:

Terminal window
sudo yum update
sudo yum install iproute curl grep coreutils

Installation

  1. Download the script:
Terminal window
curl -O https://gist.githubusercontent.com/hhftechnology/38e10e051af2c0313dbb364bdf67eeb0/raw/0bdcc175756d996d7c3beed15824fc0822e05fd9/monitor.sh
  1. Make the script executable:
Terminal window
chmod +x monitor.sh
  1. Create the log directory:
Terminal window
sudo mkdir -p /var/log/security-monitor
sudo chown $(whoami):$(whoami) /var/log/security-monitor

Configuration

Discord Webhook Setup

  1. Open your Discord server settings
  2. Navigate to Integrations → Webhooks
  3. Click “Create Webhook”
  4. Choose a name and channel for the webhook
  5. Copy the webhook URL
  6. Edit the script and replace YOUR_DISCORD_WEBHOOK_URL with your webhook URL:
Terminal window
DISCORD_WEBHOOK="https://discord.com/api/webhooks/your-webhook-url"

Customizable Parameters

The script includes several configurable parameters at the top:

Terminal window
LOG_DIR="/var/log/security-monitor"    # Location of log files
TEMP_FILE="/tmp/security_report.txt"   # Temporary file for report generation
CHECK_INTERVAL=300                     # Monitoring interval in seconds

Modify these values according to your needs. For example, to check every minute, set CHECK_INTERVAL=60.

Usage

Starting the Monitor

Run in the foreground:

Terminal window
./monitor.sh

Run in the background:

Terminal window
nohup ./monitor.sh > monitor.log 2>&1 &

Stopping the Monitor

Find the process ID:

Terminal window
ps aux | grep monitor.sh

Stop the script:

Terminal window
kill <process_id>

Log Files

The script generates several log files:

  • Daily monitoring logs: /var/log/security-monitor/monitoring_YYYY-MM-DD.log
  • Error logs: /var/log/security-monitor/error.log

Log files follow the format:

Terminal window
=== Traffic Monitoring Report 2025-01-22 14:30:00 ===
Port 443 (HTTPS) Traffic:
[Connection details]


Port 80 (HTTP) Traffic:
[Connection details]


Port 51820 (WireGuard) Traffic:
[Connection details]


Security Report
[System statistics and security information]

Troubleshooting

Common Issues and Solutions

  1. Discord messages not sending:

    • Verify your webhook URL is correct
    • Check network connectivity
    • Review error.log for specific error messages

  2. Missing command errors:

    • Install missing prerequisites using package manager
    • Verify PATH includes required commands
    • Check permissions for command execution

  3. Permission denied errors:

    • Ensure proper permissions on log directory
    • Run with sudo if accessing protected log files
    • Check file ownership and permissions

Error Logging

The script logs errors to /var/log/security-monitor/error.log. Common error messages include:

  • Discord API errors
  • Command execution failures
  • File access permission issues

Security Considerations

  • The script requires access to system logs and network information
  • Discord webhook URL should be kept private
  • Consider running the script as a non-root user with minimal required permissions
  • Monitor the script’s resource usage, especially on busy systems
  • Review logged data regularly to ensure sensitive information is not exposed

Customization

The script can be customized in several ways:

  1. Monitoring additional ports: Add new port monitoring in the main loop:

    Terminal window
    custom_traffic=$(ss -tn state established "( dport = :YOUR_PORT or sport = :YOUR_PORT )")
    format_traffic "YOUR_PORT (DESCRIPTION)" "$custom_traffic" >> "$TEMP_FILE"

  2. Additional security checks: Modify the check_security function to include custom checks:

    Terminal window
    check_security() {
        # Add your custom checks here
        local custom_check=$(your_command_here)
    }

  3. Custom formatting: Modify the format_traffic function to change output formatting:

    Terminal window
    format_traffic() {
        # Customize your output format
    }