1. Limit access from host and network
Monit uses access control lists to control the number of sources connect to server. It allows you to define both source by IP address or hostname. If the hostname is used, it will request the translation service to know the IP address of source.
If the host trying to connect to server but not found in access list will be logged with their IP address.
For example:
set httpd port 2812 andWith this configuration, any host NOT in the list - localhost, host.abc.com, 10.0.0.1 and network 10.0.0.0/8 will be denied from accessing to server. Log file will track the information of host trying to connect to server:
use address 192.168.56.101
SSL ENABLE
PEMFILE /opt/monit/monit.pem
allow localhost
allow host.abc.com
allow 10.0.0.1
allow 10.0.0.0/8
[PDT Apr 6 20:40:14] error : monit: Denied connection from non-authorized client [192.168.56.1]2. Basic authentication
[PDT Apr 6 20:40:14] error : monit: Denied connection from non-authorized client [192.168.56.1]
There are several ways that server challenges clients to send authentication information. Based on this information, server will decide act permit or deny. They could be:
-An allow statement contains a username and password separated by a colon (:) like this:
set httpd port 2812
allow username:password
And this is CLEAR TEXT type-Using PAM
-Using files in "htpasswd" format. If cryptographic is used, specify it in allow statement
set httpd port 2812
allow md5 /opt/monit/htpasswd usera userb userc
-Limit permission of user to read-only
set httpd port 2812
allow username:password read-only
And it's possible to combine these methods to match requirements:
set httpd port 2812 andThis configuration permits only connections from network 10.0.0.0/8 with a user "username" provides exactly pass "password".
use address 192.168.56.101
SSL ENABLE
PEMFILE /opt/monit/monit.pem
allow 10.0.0.0/8
allow username:password
This comment has been removed by the author.
ReplyDelete