98
|
Chapter 4: An Initial Internet-Ready Environment
Notice in Figure 4-19 that the status of sshd shows that it is running and that the sys-
tem is monitoring it. Three lines from the bottom of the screen, you can see the
instructions on what to do if sshd fails:
If failed localhost:22 [SSH] with timeout 5 seconds then restart else if recovered
then alert
This policy simply restarts a failed service and sends a message when it successfully
restarts.
Finally, monit provides four buttons at the bottom of the page for manual interven-
tion. Now, let’s see how this system works.
Installing and Configuring monit
To install monit, you can either use your Linux system package manager or down-
load the tarball from http://www.tildeslash.com/monit. If you’re using the Debian
setup from Chapter 2, simply enter:
# apt-get install monit
After you’ve installed monit, edit /etc/monit/monitrc. The file created during installa-
tion contains lots of examples, and you can find more configuration examples at
http://www.tildeslash.com/monit/doc/examples.php. In our case, we want to:
Figure 4-19. Drilling down to sshd
Safeguarding a Linux Web Server
|
99
Enable the monit web interface on port 2812.
Monitor the proftpd, sshd, mysql, apache, and postfix services.
Create a Secure Sockets Layer (https) web interface where we can log in with the
username admin.
Tell monit to send email alerts to root@localhost.
Our /etc/monit/monitrc configuration file looks like this:
set daemon 60
set log file syslog facility log_daemon
set mailserver localhost
set mail-format { from: monit@server1.centralsoft.org }
set alert root@localhost
set httpd port 2812 and
SSL ENABLE
PEMFILE /var/certs/monit.pem
allow admin: test
check process proftpd with pidfile /var/run/proftpd.pid
start program = "/etc/init.d/proftpd start"
stop program = "/etc/init.d/proftpd stop"
if failed port 21 protocol ftp then restart
if 5 restarts within 5 cycles then timeout
check process sshd with pidfile /var/run/sshd.pid
start program "/etc/init.d/ssh start"
stop program "/etc/init.d/ssh stop"
if failed port 22 protocol ssh then restart
if 5 restarts within 5 cycles then timeout
check process mysql with pidfile /var/run/mysqld/mysqld.pid
group database
start program = "/etc/init.d/mysql start"
stop program = "/etc/init.d/mysql stop"
if failed host 127.0.0.1 port 3306 then restart
if 5 restarts within 5 cycles then timeout
check process apache with pidfile /var/run/apache2.pid
group www
start program = "/etc/init.d/apache2 start"
stop program = "/etc/init.d/apache2 stop"
if failed host www.centralsoft.org port 80 protocol http
and request "/monit/token" then restart
if cpu is greater than 60% for 2 cycles then alert
if cpu > 80% for 5 cycles then restart
if totalmem > 500 MB for 5 cycles then restart
if children > 250 then restart
if loadavg(5min) greater than 10 for 8 cycles then stop
if 3 restarts within 5 cycles then timeout
check process postfix with pidfile /var/spool/postfix/pid/master.pid
group mail
start program = "/etc/init.d/postfix start"
stop program = "/etc/init.d/postfix stop"
if failed port 25 protocol smtp then restart
if 5 restarts within 5 cycles then timeout
100
|
Chapter 4: An Initial Internet-Ready Environment
Statements and options are described in the monit documentation at http://www.
tildeslash.com/monit/doc/manual.php.
In the apache section of the monit configuration, you’ll see this statement:
if failed host www.centralsoft.org port 80 protocol http
and request "/monit/token" then restart
This means that monit tries to connect to www.centralsoft.org on port 80 and tries to
access the file /monit/token. Because our web site’s document root is /var/www/www.
centralsoft.org/web, the filename expands to /var/www/www.centralsoft.org/web/
monit/token. If monit doesn’t succeed, this means Apache isn’t running, so monit
tries to restart it.
Now we must create the file /var/www/www.centralsoft.org/web/monit/token and
write some arbitrary string into it:
# mkdir /var/www/www.centralsoft.org/web/monit
# echo "hello" > /var/www/www.centralsoft.org/web/monit/token
You can follow a similar procedure on your own system.
Next, create a directory to hold the pem cert file (/var/certs/monit.pem) required for
the SSL-encrypted monit web interface:
# mkdir /var/certs
# cd /var/certs
You’ll need an OpenSSL configuration file to create the certificate. The resulting /var/
certs/monit.pem file should look like this:
# create RSA certs - Server
RANDFILE = ./openssl.rnd
[ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
[ req_dn ]
countryName = Country Name (2 letter code)
countryName_default = MO
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Monitoria
localityName = Locality Name (eg, city)
localityName_default = Monittown
organizationName = Organization Name (eg, company)
organizationName_default = Monit Inc.
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Dept. of Monitoring Technologies
commonName = Common Name (FQDN of your server)
commonName_default = server.monit.mo
emailAddress = Email Address
emailAddress_default = root@monit.mo
[ cert_type ]
nsCertType = server

Get Linux System Administration now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.