rtop is a remote monitoring tool that connects to servers via SSH and displays real-time system statistics. Unlike traditional monitoring agents, rtop doesn’t require any software installation on remote servers - it uses SSH for connectivity. This guide covers security measures for production rtop deployments, focusing on SSH security and access control.
rtop architecture includes these security-sensitive components:
Key security concerns include SSH key management, command execution security, credential protection, access control to monitored servers, and preventing information disclosure through system metrics.
rtop uses SSH for connectivity, so standard SSH firewall rules apply:
# SSH access (if rtop connects to this server)
ufw allow from 10.0.0.0/8 to any port 22 proto tcp
# Block external SSH access
ufw deny from any to any port 22 proto tcp
Configure SSH server for rtop connections:
# /etc/ssh/sshd_config
# Restrict to specific users
AllowUsers rtop-monitor admin
# Restrict to specific networks
AllowTcpForwarding no
X11Forwarding no
PermitTunnel no
# Security settings
PasswordAuthentication no
PubkeyAuthentication yes
PermitRootLogin no
MaxAuthTries 3
LoginGraceTime 60
ClientAliveInterval 300
ClientAliveCountMax 2
Use SSH keys instead of passwords:
# Generate dedicated SSH key for rtop
ssh-keygen -t ed25519 -f ~/.ssh/rtop_key -C "rtop-monitor"
# Copy to remote servers
ssh-copy-id -i ~/.ssh/rtop_key.pub user@remote-server
# Set restrictive permissions
chmod 600 ~/.ssh/rtop_key
chmod 644 ~/.ssh/rtop_key.pub
Restrict SSH key capabilities:
# ~/.ssh/authorized_keys on remote server
# Restrict rtop key to specific commands
command="/usr/bin/uptime,/usr/bin/free,/usr/bin/df,/usr/bin/cat /proc/loadavg,/usr/bin/cat /proc/meminfo,/usr/bin/cat /proc/stat,/usr/bin/cat /proc/net/dev",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-ed25519 AAAA... rtop-monitor
Create dedicated user for rtop:
# Create rtop monitoring user
useradd -r -s /bin/false rtop-monitor
# Set up SSH access only
mkdir -p /home/rtop-monitor/.ssh
chmod 700 /home/rtop-monitor/.ssh
Configure sudo for limited commands (if needed):
# /etc/sudoers.d/rtop
rtop-monitor ALL=(ALL) NOPASSWD: /usr/bin/uptime, /usr/bin/free, /usr/bin/df
Secure SSH agent usage:
# Use ssh-agent with timeout
ssh-agent -t 1h
# Or use keychain for persistent agent
eval $(keychain --eval --agents ssh --inherit any ~/.ssh/rtop_key)
Ensure SSH uses secure protocols:
# /etc/ssh/sshd_config
# Only allow secure protocols
Protocol 2
# Strong ciphers only
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
# Strong MACs only
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
# Strong key exchange
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Use SSH certificates for large deployments:
# Generate CA key
ssh-keygen -t ed25519 -f ~/.ssh/ca_key -C "SSH CA"
# Sign user key
ssh-keygen -s ~/.ssh/ca_key -I rtop-monitor -n rtop-monitor ~/.ssh/rtop_key.pub
# Configure server to trust CA
# /etc/ssh/sshd_config
TrustedUserCAKeys /etc/ssh/ca_key.pub
Limit commands rtop can execute:
# ~/.ssh/authorized_keys on remote server
# Only allow read-only monitoring commands
command="/usr/local/bin/rtop-commands.sh",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-ed25519 AAAA... rtop-monitor
Create wrapper script:
#!/bin/bash
# /usr/local/bin/rtop-commands.sh
# Whitelist allowed commands
case "$SSH_ORIGINAL_COMMAND" in
"uptime")
uptime
;;
"free -m")
free -m
;;
"df -h")
df -h
;;
"cat /proc/loadavg")
cat /proc/loadavg
;;
"cat /proc/meminfo")
cat /proc/meminfo
;;
"cat /proc/stat")
cat /proc/stat
;;
"cat /proc/net/dev")
cat /proc/net/dev
;;
*)
echo "Command not allowed" >&2
exit 1
;;
esac
Control which servers rtop can access:
// ~/.rtop/rtop.json
{
"servers": {
"production": {
"address": "10.0.1.50",
"user": "rtop-monitor",
"key": "~/.ssh/rtop_key",
"allowed": true
},
"staging": {
"address": "10.0.2.50",
"user": "rtop-monitor",
"key": "~/.ssh/rtop_key",
"allowed": true
}
}
}
Limit exposed information:
# Restrict access to sensitive proc files
# /etc/ssh/sshd_config
# Force command that filters output
# Or use SELinux/AppArmor to restrict file access
Configure proc file permissions:
# Some proc files may contain sensitive information
# Consider using namespaces or containers for isolation
Protect SSH private keys:
# Set restrictive permissions
chmod 600 ~/.ssh/rtop_key
# Use passphrase for additional security
ssh-keygen -p -f ~/.ssh/rtop_key
# Store keys in secure location
# Consider using hardware tokens (YubiKey) for key storage
Protect rtop configuration:
# Set restrictive permissions
chmod 600 ~/.rtop/rtop.json
chmod 700 ~/.rtop/
Never store passwords in configuration:
// ~/.rtop/rtop.json
// Bad - Never store passwords
// {
// "password": "SecretPass123"
// }
// Good - Use SSH keys
{
"key": "~/.ssh/rtop_key"
}
Secure rtop logs (if logging is enabled):
# Set restrictive permissions
chmod 600 ~/.rtop/rtop.log
Enable SSH logging:
# /etc/ssh/sshd_config
LogLevel VERBOSE
SyslogFacility AUTH
Monitor SSH access:
# Check SSH logs
grep "rtop" /var/log/auth.log
# Monitor failed attempts
grep "Failed" /var/log/auth.log | grep rtop
Log rtop command execution:
# Enable command logging on remote server
# /etc/bash.bashrc or /etc/profile
if [ "$SSH_ORIGINAL_COMMAND" ]; then
echo "$(date): $SSH_ORIGINAL_COMMAND by $USER" >> /var/log/rtop-commands.log
fi
Monitor for security events:
#!/bin/bash
# /usr/local/bin/check-rtop-security.sh
# Check for unauthorized SSH attempts
FAILED_SSH=$(grep -c "Failed.*rtop" /var/log/auth.log 2>/dev/null || echo 0)
if [ "$FAILED_SSH" -gt 10 ]; then
echo "CRITICAL: Multiple failed SSH attempts for rtop"
exit 2
fi
# Check for command execution anomalies
UNUSUAL=$(grep -vE "(uptime|free|df|cat /proc)" /var/log/rtop-commands.log 2>/dev/null | wc -l)
if [ "$UNUSUAL" -gt 0 ]; then
echo "WARNING: Unusual commands executed via rtop"
exit 1
fi
Forward SSH logs to SIEM:
# /etc/rsyslog.d/ssh.conf
:programname, isequal, "sshd" /var/log/ssh/syslog.log
:programname, isequal, "sshd" @siem.company.com:514