Secure Monit 5.6 httpd on Ubuntu Trusty

Question

I'm trying to securely install the monit on Ubuntu 14.04 Trusty. The default packaged version is 5.6. From what I can see, monit is basically unusable without the httpd service enabled (ie you can't start, restart or stop monitoring a service). Is this right?

Assuming it is, I'd like to enable httpd, but I'm finding difficulty with setting up authentication. The config I want is to allow root to start/stop the services. How can I achieve this?

I dredged up the 5.6 docs from archive.org and started with the following config:

set httpd port 2812
  use address localhost
  allow localhost

This seems to work OK, and I guess this allows any user to connect. Now I want to lock this down and just let root administer the services. How can I achieve this?

I tried the allow @group syntax with the root group (which the root user is a member of):

set httpd port 2812
  use address localhost
  allow localhost
  allow @root

and restarted.

When I do monit status, I see monit: cannot read status from the monit daemon

When I do monit -v status, I see this:

monit: Debug: Adding host allow 'localhost'
monit: Debug: Skipping redundant host 'localhost'
monit: Debug: Skipping redundant host 'localhost'
monit: Adding PAM group 'root'.

<Long list of all runtime constants and service list omitted>

What am I missing here? Is there some additional pam authentication I need to do or something?

score 2 · Answer 1 · answered Apr 28 '15 at 17:00

The httpd interface has to be turned on for the command line monit to work. The documentation states:

If the Monit command line interface is being used, at least one cleartext password is necessary (see bellow), otherwise the Monit command line interface will not be able to connect to the Monit web interface.

(Emphasis mine. My hyperlink above points to the doc for 5.6 but it is also true of 5.4 and of the latest version at the time of writing this answer.)

The two only means I know of controlling Monit is by connecting with a browser to the httpd interface or by using the monit command. So indeed if the httpd interface is not turned on, then Monit will monitor the system but you cannot issue commands to it.

The way I've done it on my system is:

set httpd port 2812 and
   use address localhost
   allow localhost        
   allow admin:foo

(Please use a real password, not foo.)

This restricts access to the httpd interface only for users who connect from localhost and who identify themselves as user admin with password foo when the httpd server asks for authentication.

Note that in theory anybody on localhost that knows the user and password can connect. However, a proper system-wide installation of Monit will have the monitrc file set to permissions 0700 and belong to root. When Monit is installed properly and when the password is not shared, then only root can access the httpd interface.

Note: if you want to be able to manage remotely please do not simply extend the scheme above to allow connections from other hosts: the user name and password will go in clear text over the wire.

Thanks very much for this info. I still don't understand why my `allow @group` lines didn't work, but the approach you suggest seems secure enough. *"PAM is supported as well on platforms which provide PAM (such as Linux, Mac OS X, FreeBSD, NetBSD). The syntax is: allow @mygroup which provides access to the user of group called mygroup. Monit uses PAM service called monit for PAM authentication, see PAM manual page for detailed instructions how to set the PAM service and PAM authentication plugins"* — robd, Apr 28 '15 at 18:00
I interpret the bit of the documentation that I quoted to mean that as far as the command line `monit` is concerned, the only thing that it will use for authentication is the cleartext password that is defined in the configuration file. (Otherwise, if it were able to use pam, for instance, I don't see why we'd *have* to have a cleartext password.) In other words, Monit's *server* is fine using cleartext or pam, but the command line *client* (`monit`) cannot authenticate to the server with anything else than cleartext. — Louis, Apr 28 '15 at 18:09
Ah I see - interesting. I didn't interpret it that way, mainly because of the bit a few paragraphs above that which describes support for `allow @admins` and `allow @users read-only`: *Finally it is possible to define some users as read-only. A read-only user can read the Monit web pages but will not get access to push-buttons and cannot change a service from the web interface.*. Maybe this only applies to the web interface or something. I had imagined that it was using http auth and then pam on the 'server side' of the http connection. Since I don't know anything about PAM, it's hard to know. — robd, Apr 28 '15 at 18:38

Secure Monit 5.6 httpd on Ubuntu Trusty

1 Answers1