This page is useful for at-a-glance checking of my home server (which is currently hosting myhabitat.net)
Below are charts plotting data flowing in and out of the main network interface of the machine, /dev/vr0. The data is measured in bits per second (bps). The charts cover different time spans, starting from 12 hours. In the 12 hours plot, each horizontal pixel of the chart represents one sample, i.e. one measurement. Every 60 seconds a sample is taken. This gives me the number of bytes received and sent since the machine was booted up.
Obviously the total number of bytes transferred since boot time is not that exciting. The rate of transfer is much more interesting. You can compare it against a few interesting known quantities, like your ISP's maximum bandwidth (for incoming data, that's typically 8 Mbps in the UK, 50 to 100 Mbps in Japan).
The rate of data transfer is calculated as the difference between one sample and the previous sample divided by the sample interval (60 secs). This is then multiplied by 8 (because there are 8 bits per byte) to get the bps value.
Data is plotted on a logarithmic scale in order to handle large variations i.e. a burst of traffic. If it was on a linear scale, small quantities would become too small to plot in relation to the large quantities.
This graph shows how many hits the web server here receives, regardless of the requested object. That means a tiny little thumbnail png is counted as much as a big hires jpeg. html files also count. Anything that you obtain from myhabitat.net via http is going to be counted here.
Here's a link to a page displaying this web server's status (opens in a new tab/window).
AWStats is a comprehensive webstats analysis tool. Gives more stats than you can shake a limp dodo at. Click here to sip from the firehose (in a new tab/window).
My home server is on the public Internet. It is always listening for http connections (from web browsers of family and friends accessing this website). This unfortunately exposes it to attacks from outside. In this day and age almost every broadband-enabled household is getting a barrage of network requests from crackers attempting to identify and exploit weak spots. Most ISPs set up their customers' connection so that everything is locked down reasonably tightly and all incoming connections are ignored. But if you want to host a web site from home, you have to open up a security 'hole' for incoming connections. Every now and then a vulnerability in the form of a software bug (flaw) is discovered in web servers or other public-facing systems. A motivated cracker will try to quickly find a way to exploit the vulnerability before it gets fixed.
Anyway, one common way to launch an attack is to scan through an IP range and try to access popular ports (e.g. http). This like walking along a line of parked cars on the street and trying to open the door of each one. Once a suitable machine is found one way to attack that machine is to check if it is accepting remote logins (my machine is one of them) and then run a program that attempts repeatedly to log in, guessing the username and password. As it happens, my home server accepts ssh connections, a secure type of remote login. In theory this enables someone outside my home to connect to the machine and take control of it. I deliberately enabled remote ssh login so that I can check on things remotely when I am not at home. Of course, to successfully log in you need the right credentials (e.g. a username and password) and I try to think of difficult to guess credentials. It turns out that there are a number of machines out there accepting remote logins with easy-to-guess usernames and passwords, like guest:password or mary:letmein. Why administrators are so lax is baffling and verging on criminal negligence. Crackers will seek out such machines and seize control. Compromised machines are used on a daily basis to send spam (its very profitable), harvest passwords, launch attacks on computers, and other criminal activity. My machine used to get hundreds of these connection attempts every day. As far as I know none of them succeeded, but I haven't installed intrusion detection tools so I can't be sure. At least every connection attempt gets logged here. If the guy trying to log in failed to provide the correct credentials, an error message is logged.
As a defence to this, in addition to having a difficult-to-guess password, there's a sweet tool called DenyHosts which I've got running in the background. When someone fails to log in, DenyHosts will register that event. It will keep a count of any future attempts from that originating IP address (an IP address is like a postal address for the Internet). A typical attack will attempt to connect many times with a variety of username:password guesses. When this happens DenyHosts will flag that as a malicious login attempt, and blacklist the IP address. Any computers with IPs in the blacklist will immediately be ignored the next time a connection is attempted. This drastically cuts down my error logs.
So finally I get to the point. The graphs below should show the number of remote machines (hosts) that tried and failed to log in to my home server, per day. At the time of this writing I was bouncing about 2-4 loiterers per day.
Update: half a year later, the rate of attacks has not risen. I hope it stays that way!
Since I am a little paranoid about security on my server, I also want to keep track of who is logged into the machine, even though there are currently only two people who have accounts on the machine.