A Stakepool Security Monitoring System

We have recently built Host Intrusion Detection System (HIDS) for our stake pool, and tuned up for the Guild Ops Cardano Node directory structure and monitoring.

Its based on OSSEC agents(Releases · ossec/ossec-hids · GitHub) reporting to an OSSEC server linking to prometheus and Grafana so you get a nice dashboard and UI for monitoring. A lot of you may already be running prometheus and Grafana as part of the Guild Ops build so will be familiar with these tools.

OSSEC is a very lightweight agent and can run integrity and root kit checks as well as parsing auth files, and monitoring directory changes. We are using the Linux agents but there are agents for Windows and Mac.

Let me know if there is interest and I will write up and share back here.


Yes, great work - please share.


I am interested as well in what you’ve built, it sounds like a great addition to verify that security has not been compromised.


Documented here:

It’s a fairly lengthy process, and hopefully it’s accurate. If you find any errors, or anything isn’t clear please feedback so I can correct.

If there’s enough interest I will check in with the GuildOps crew and see if they want to script it and offer as part of their repo (we called it cnhids just in case).

It will be noisy for the first 24 hours then should settle down. You can easily drill into events by clicking the hyperlinks on the dashboard, and there are some nice inbuilt grafana features to view similar events and see stats. Play around and it’s pretty intuitive…

Update 30-01-2021: Added Grafana panel to allow query by host, as well as query by alert level. On GitHub repo (GitHub - cyber-russ/cnhids: cnhids is a Host Intrusion Detection System for cardano node based on OSSEC), or link in the blog.

Update 10-02-2021: Discussing with Guild Ops to script and provide install as part of their stack. Hope to have something for testing in a week or so when we have time to focus on it.

1 Like

Scripted here: GitHub - cyber-russ/cnhids: cnhids is a Host Intrusion Detection System for cardano node based on OSSEC

  • Some improvements on use cases.
  • Now an (easy) 2 minute install.
  • Discussing integration with GuildOps. Designed as a drop in for the existing script setup_mon.sh.

Feedback welcome on GitHub if you find issues- we’ve done some testing on Ubuntu 20.04LTS but likely some rough edges still.

UPDATE 06-Mar-2021: We’ve done a lot more testing on the different deployment options. Better install logic, and most obvious bugs removed. Working well on 20.04LTS. All software versions at the latest levels. No critical or high vulnerabilities identified with Qualys scans.

1 Like

Update 02-October-2021

  • Latest versions of grafana, prometheus, prom tail, loki etc
  • Upgrade option added to preserve data
  • Some bugs fixed

Repo is now here: GitHub - adavault/cnhids

We’ve been using this for some time now. Very stable, very low impact on performance, no impact on BPNs or relays.