ruptime is a lightweight remote monitoring tool that connects to multiple servers via SSH and displays their status in a unified view. Like rtop, ruptime doesn’t require agent installation - it uses SSH for connectivity. This guide covers security measures for production ruptime deployments, focusing on SSH security and multi-server access control.
ruptime architecture includes these security-sensitive components:
Key security concerns include SSH key management for multiple servers, command execution security, credential protection, access control across server fleet, and preventing information disclosure.
ruptime uses SSH for connectivity:
# SSH access (if ruptime connects to these servers)
ufw allow from 10.0.0.0/8 to any port 22 proto tcp
# Block external SSH access
ufw deny from any to any port 22 proto tcp
Configure SSH servers for ruptime connections:
# /etc/ssh/sshd_config
# Restrict to specific users
AllowUsers ruptime-monitor admin
# Security settings
PasswordAuthentication no
PubkeyAuthentication yes
PermitRootLogin no
MaxAuthTries 3
LoginGraceTime 60
ClientAliveInterval 300
ClientAliveCountMax 2
# Disable unnecessary features
AllowTcpForwarding no
X11Forwarding no
PermitTunnel no
Use SSH keys for all ruptime connections:
# Generate dedicated SSH key for ruptime
ssh-keygen -t ed25519 -f ~/.ssh/ruptime_key -C "ruptime-monitor"
# Copy to all monitored servers
for server in server1 server2 server3; do
ssh-copy-id -i ~/.ssh/ruptime_key.pub user@$server
done
# Set restrictive permissions
chmod 600 ~/.ssh/ruptime_key
chmod 644 ~/.ssh/ruptime_key.pub
Restrict SSH key capabilities on each server:
# ~/.ssh/authorized_keys on remote servers
# Restrict ruptime key to specific commands
command="/usr/local/bin/ruptime-commands.sh",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-ed25519 AAAA... ruptime-monitor
Create dedicated user for ruptime on each server:
# Create ruptime monitoring user
useradd -r -s /bin/bash -d /home/ruptime-monitor ruptime-monitor
# Set up SSH access
mkdir -p /home/ruptime-monitor/.ssh
chmod 700 /home/ruptime-monitor/.ssh
chown ruptime-monitor:ruptime-monitor /home/ruptime-monitor/.ssh
Configure limited sudo if needed:
# /etc/sudoers.d/ruptime
ruptime-monitor ALL=(ALL) NOPASSWD: /usr/bin/uptime, /usr/bin/who
Use SSH agent for managing multiple connections:
# Start ssh-agent with timeout
eval $(ssh-agent -t 1h)
# Add key once
ssh-add ~/.ssh/ruptime_key
# ruptime will use the agent for all connections
Ensure SSH uses secure protocols on all servers:
# /etc/ssh/sshd_config
Protocol 2
# Strong ciphers only
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
# Strong MACs only
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
# Strong key exchange
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Use SSH certificates for large server fleets:
# Generate CA key
ssh-keygen -t ed25519 -f ~/.ssh/ruptime_ca -C "ruptime SSH CA"
# Sign user key for all servers
ssh-keygen -s ~/.ssh/ruptime_ca -I ruptime-monitor -n ruptime-monitor ~/.ssh/ruptime_key.pub
# Configure all servers to trust CA
# /etc/ssh/sshd_config
TrustedUserCAKeys /etc/ssh/ruptime_ca_key.pub
Limit commands ruptime can execute on each server:
#!/bin/bash
# /usr/local/bin/ruptime-commands.sh
# Whitelist allowed commands for ruptime
case "$SSH_ORIGINAL_COMMAND" in
"uptime")
uptime
;;
"who")
who
;;
"uname -a")
uname -a
;;
"cat /etc/os-release")
cat /etc/os-release
;;
*)
echo "Command not allowed" >&2
exit 1
;;
esac
Organize servers in ruptime configuration:
# ~/.ruptime/config.yaml
servers:
production:
- name: web-01
host: 10.0.1.10
user: ruptime-monitor
key: ~/.ssh/ruptime_key
- name: web-02
host: 10.0.1.11
user: ruptime-monitor
key: ~/.ssh/ruptime_key
staging:
- name: staging-01
host: 10.0.2.10
user: ruptime-monitor
key: ~/.ssh/ruptime_key
# Disable servers that shouldn't be monitored
# disabled:
# - name: secure-server
# host: 10.0.3.10
# enabled: false
Limit exposed system information:
# Restrict access to sensitive files
# Use SELinux/AppArmor profiles
# Or filter command output
#!/bin/bash
# /usr/local/bin/ruptime-commands.sh
case "$SSH_ORIGINAL_COMMAND" in
"uptime")
# Only show uptime, not full output
uptime | cut -d',' -f1-3
;;
"who")
# Only show logged in users, no details
who | awk '{print $1}'
;;
esac
Protect SSH private keys:
# Set restrictive permissions
chmod 600 ~/.ssh/ruptime_key
# Use passphrase for additional security
ssh-keygen -p -f ~/.ssh/ruptime_key
# Consider hardware tokens for key storage
# ssh-keygen -t ed25519-sk -f ~/.ssh/ruptime_key
Protect ruptime configuration:
# Set restrictive permissions
chmod 600 ~/.ruptime/config.yaml
chmod 700 ~/.ruptime/
Never store passwords in configuration:
# ~/.ruptime/config.yaml
# Bad - Never store passwords
# servers:
# - password: "SecretPass123"
# Good - Use SSH keys
servers:
- key: ~/.ssh/ruptime_key
Secure connection settings:
# ~/.ruptime/config.yaml
settings:
timeout: 10 # Connection timeout in seconds
concurrent: 10 # Max concurrent connections
strict_host_key: true # Verify host keys
Enable SSH logging on all servers:
# /etc/ssh/sshd_config
LogLevel VERBOSE
SyslogFacility AUTH
Monitor SSH access:
# Check SSH logs across servers
for server in server1 server2 server3; do
echo "=== $server ==="
ssh $server "grep 'ruptime' /var/log/auth.log | tail -10"
done
Log ruptime command execution:
# /etc/bash.bashrc on remote servers
if [ "$SSH_ORIGINAL_COMMAND" ]; then
echo "$(date): $SSH_ORIGINAL_COMMAND by $USER from ${SSH_CONNECTION%% *}" >> /var/log/ruptime-commands.log
fi
Monitor for security events:
#!/bin/bash
# /usr/local/bin/check-ruptime-security.sh
# Check for failed SSH attempts across servers
for server in server1 server2 server3; do
FAILED=$(ssh $server "grep -c 'Failed.*ruptime' /var/log/auth.log 2>/dev/null || echo 0")
if [ "$FAILED" -gt 10 ]; then
echo "CRITICAL: Multiple failed SSH attempts on $server"
fi
done
# Check for unauthorized commands
for server in server1 server2 server3; do
UNUSUAL=$(ssh $server "grep -vE '(uptime|who|uname)' /var/log/ruptime-commands.log 2>/dev/null | wc -l")
if [ "$UNUSUAL" -gt 0 ]; then
echo "WARNING: Unusual commands on $server"
fi
done
Forward SSH logs to SIEM:
# /etc/rsyslog.d/ssh.conf on all servers
:programname, isequal, "sshd" /var/log/ssh/syslog.log
:programname, isequal, "sshd" @siem.company.com:514