## Comments begin with a '#' and extend through the end of the line. Keywords
## are case insensitive. All path's MUST BE FULLY QUALIFIED, starting with '/'.
##
-## Bellow is the example of some frequently used statements. For information
-## about the control file, a complete list of statements and options please
-## have a look in the monit manual.
+## Below you will find examples of some frequently used statements. For
+## information about the control file, a complete list of statements and
+## options please have a look in the monit manual.
##
##
###############################################################################
## Global section
###############################################################################
##
-## Start monit in background (run as daemon) and check the services at 2-minute
-## intervals.
+## Start monit in the background (run as a daemon) and check services at
+## 2-minute intervals.
#
# set daemon 120
#
#
## Set syslog logging with the 'daemon' facility. If the FACILITY option is
-## omited, monit will use 'user' facility by default. You can specify the
-## path to the file for monit native logging.
+## omitted, monit will use 'user' facility by default. If you want to log to
+## a stand alone log file instead, specify the path to a log file
#
-# set logfile syslog facility log_daemon
+# set logfile syslog facility log_daemon
#
#
-## Set list of mailservers for alert delivery. Multiple servers may be
-## specified using comma separator. By default monit uses port 25 - it is
-## possible to override it with the PORT option.
+## Set the list of mail servers for alert delivery. Multiple servers may be
+## specified using comma separator. By default monit uses port 25 - this
+## is possible to override with the PORT option.
#
# set mailserver mail.bar.baz, # primary mailserver
# backup.bar.baz port 10025, # backup mailserver on port 10025
# localhost # fallback relay
#
#
-## By default monit will drop the event alert, in the case that there is no
-## mailserver available. In the case that you want to keep the events for
-## later delivery retry, you can use the EVENTQUEUE statement. The base
-## directory where undelivered events will be stored is specified by the
-## BASEDIR option. You can limit the maximal queue size using the SLOTS
-## option (if omited then the queue is limited just by the backend filesystem).
+## By default monit will drop alert events if no mail servers are available.
+## If you want to keep the alerts for a later delivery retry, you can use the
+## EVENTQUEUE statement. The base directory where undelivered alerts will be
+## stored is specified by the BASEDIR option. You can limit the maximal queue
+## size using the SLOTS option (if omitted, the queue is limited by space
+## available in the back end filesystem).
#
# set eventqueue
# basedir /var/monit # set the base directory where events will be stored
## monit #
## --8<--
##
-## You can override the alert message format or its parts such as subject
+## You can override this message format or parts of it, such as subject
## or sender using the MAIL-FORMAT statement. Macros such as $DATE, etc.
-## are expanded on runtime. For example to override the sender:
+## are expanded at runtime. For example, to override the sender:
#
# set mail-format { from: monit@foo.bar }
#
#
-## You can set the alert recipients here, which will receive the alert for
-## each service. The event alerts may be restricted using the list.
+## You can set alert recipients here whom will receive alerts if/when a
+## service defined in this file has errors. Alerts may be restricted on
+## events by using a filter as in the second example below.
#
# set alert sysadm@foo.bar # receive all alerts
# set alert manager@foo.bar only on { timeout } # receive just service-
# # timeout alert
#
#
-## Monit has an embedded webserver, which can be used to view the
-## configuration, actual services parameters or manage the services using the
-## web interface.
+## Monit has an embedded web server which can be used to view status of
+## services monitored, the current configuration, actual services parameters
+## and manage services from a web interface.
#
# set httpd port 2812 and
# use address localhost # only accept connection from localhost
## Services
###############################################################################
##
-## Check the general system resources such as load average, cpu and memory
-## usage. Each rule specifies the tested resource, the limit and the action
-## which will be performed in the case that the test failed.
+## Check general system resources such as load average, cpu and memory
+## usage. Each test specifies a resource, conditions and the action to be
+## performed should a test fail.
#
# check system myhost.mydomain.tld
# if loadavg (1min) > 4 then alert
#
#
## Check a file for existence, checksum, permissions, uid and gid. In addition
-## to the recipients in the global section, customized alert will be send to
-## the additional recipient. The service may be grouped using the GROUP option.
+## to alert recipients in the global section, customized alert will be sent to
+## additional recipients by specifying a local alert handler. The service may
+## be grouped using the GROUP option.
#
# check file apache_bin with path /usr/local/apache/bin/httpd
# if failed checksum and
# group server
#
#
-## Check that a process is running, responding on the HTTP and HTTPS request,
-## check its resource usage such as cpu and memory, number of childrens.
-## In the case that the process is not running, monit will restart it by
-## default. In the case that the service was restarted very often and the
-## problem remains, it is possible to disable the monitoring using the
-## TIMEOUT statement. The service depends on another service (apache_bin) which
-## is defined in the monit control file as well.
+## Check that a process is running, in this case Apache, and that it respond
+## to HTTP and HTTPS requests. Check its resource usage such as cpu and memory,
+## and number of children. If the process is not running, monit will restart
+## it by default. In case the service was restarted very often and the
+## problem remains, it is possible to disable monitoring using the TIMEOUT
+## statement. This service depends on another service (apache_bin) which
+## is defined above.
#
# check process apache with pidfile /usr/local/apache/logs/httpd.pid
# start program = "/etc/init.d/httpd start"
# group server
#
#
-## Check the device permissions, uid, gid, space and inode usage. Other
-## services such as databases may depend on this resource and automatical
-## graceful stop may be cascaded to them before the filesystem will become
-## full and the data will be lost.
+## Check device permissions, uid, gid, space and inode usage. Other services,
+## such as databases, may depend on this resource and an automatically graceful
+## stop may be cascaded to them before the filesystem will become full and data
+## lost.
#
# check device datafs with path /dev/sdb1
# start program = "/bin/mount /data"
# group server
#
#
-## Check a file's timestamp: when it becomes older then 15 minutes, the
-## file is not updated and something is wrong. In the case that the size
-## of the file exceeded given limit, perform the script.
+## Check a file's timestamp. In this example, we test if a file is older
+## than 15 minutes and assume something is wrong if its not updated. Also,
+## if the file size exceed a given limit, execute a script
#
# check file database with path /data/mydatabase.db
# if failed permission 700 then alert
# if size > 100 MB then exec "/my/cleanup/script"
#
#
-## Check the directory permission, uid and gid. An event is triggered
-## if the directory does not belong to the user with the uid 0 and
-## the gid 0. In the addition the permissions have to match the octal
-## description of 755 (see chmod(1)).
+## Check directory permission, uid and gid. An event is triggered if the
+## directory does not belong to the user with uid 0 and gid 0. In addition,
+## the permissions have to match the octal description of 755 (see chmod(1)).
#
# check directory bin with path /bin
# if failed permission 755 then unmonitor
# if failed gid 0 then unmonitor
#
#
-## Check the remote host network services availability and the response
-## content. One of three pings, a successfull connection to a port and
-## application level network check is performed.
+## Check a remote host network services availability using a ping test and
+## check response content from a web server. Up to three pings are sent and
+## connection to a port and a application level network check is performed.
#
# check host myserver with address 192.168.1.1
# if failed icmp type echo count 3 with timeout 3 seconds then alert
## Includes
###############################################################################
##
-## It is possible to include the configuration or its parts from other files or
+## It is possible to include additional configuration parts from other files or
## directories.
#
# include /etc/monit.d/*
message: monit $ACTION $SERVICE at $DATE on $HOST
}
set mailserver 127.0.0.1
-set alert root@localhost only on { uid, gid, size, nonexist, data, icmp, instance, invalid, exec, timeout, resource, checksum, match, timestamp, connection, permission }
+set alert root@lenny-amd64.local only on { uid, gid, size, nonexist, data, icmp, instance, invalid, exec, timeout, resource, checksum, match, timestamp, connection, permission }
#set httpd port 2812 and use address 127.0.0.1
#allow localhost
-# /etc/ntp.conf, configuration for ntpd
+# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
driftfile /var/lib/ntp/ntp.drift
-statsdir /var/log/ntpstats/
+
+
+# Enable this if you want statistics to be logged.
+#statsdir /var/log/ntpstats/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
server st.ntp.carnet.hr
server os.ntp.carnet.hr
-# pool.ntp.org maps to more than 300 low-stratum NTP servers.
-# Your server will pick a different set every time it starts up.
-# *** Please consider joining the pool! ***
-# *** <http://www.pool.ntp.org/join.html> ***
-#server 0.debian.pool.ntp.org iburst
-#server 1.debian.pool.ntp.org iburst
-#server 2.debian.pool.ntp.org iburst
-#server 3.debian.pool.ntp.org iburst
+# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will
+# pick a different set every time it starts up. Please consider joining the
+# pool: <http://www.pool.ntp.org/join.html>
+#server 0.debian.pool.ntp.org iburst dynamic
+#server 1.debian.pool.ntp.org iburst dynamic
+#server 2.debian.pool.ntp.org iburst dynamic
+#server 3.debian.pool.ntp.org iburst dynamic
+
+
+# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
+# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
+# might also be helpful.
+#
+# Note that "restrict" applies to both servers and clients, so a configuration
+# that might be intended to block requests from certain clients could also end
+# up blocking replies from your own upstream servers.
# By default, exchange time with everybody, but don't allow configuration.
-# See /usr/share/doc/ntp-doc/html/accopt.html for details.
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery
restrict 127.0.0.1
restrict ::1
-# Clients from this (example!) subnet have unlimited access,
-# but only if cryptographically authenticated
-#restrict 192.168.123.0 mask 255.255.255.0 notrust
+# Clients from this (example!) subnet have unlimited access, but only if
+# cryptographically authenticated.
+#restrict 192.168.123.0 mask 255.255.255.0 notrust
+
# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 192.168.123.255
-# If you want to listen to time broadcasts on your local subnet,
-# de-comment the next lines. Please do this only if you trust everybody
-# on the network!
+# If you want to listen to time broadcasts on your local subnet, de-comment the
+# next lines. Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient
-# /etc/ntp.conf, configuration for ntpd
+# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
driftfile /var/lib/ntp/ntp.drift
-statsdir /var/log/ntpstats/
+
+
+# Enable this if you want statistics to be logged.
+#statsdir /var/log/ntpstats/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
# You do need to talk to an NTP server or two (or three).
#server ntp.your-provider.example
-# pool.ntp.org maps to more than 300 low-stratum NTP servers.
-# Your server will pick a different set every time it starts up.
-# *** Please consider joining the pool! ***
-# *** <http://www.pool.ntp.org/join.html> ***
-server 0.debian.pool.ntp.org iburst
-server 1.debian.pool.ntp.org iburst
-server 2.debian.pool.ntp.org iburst
-server 3.debian.pool.ntp.org iburst
+# pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will
+# pick a different set every time it starts up. Please consider joining the
+# pool: <http://www.pool.ntp.org/join.html>
+server 0.debian.pool.ntp.org iburst dynamic
+server 1.debian.pool.ntp.org iburst dynamic
+server 2.debian.pool.ntp.org iburst dynamic
+server 3.debian.pool.ntp.org iburst dynamic
+
+
+# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
+# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
+# might also be helpful.
+#
+# Note that "restrict" applies to both servers and clients, so a configuration
+# that might be intended to block requests from certain clients could also end
+# up blocking replies from your own upstream servers.
# By default, exchange time with everybody, but don't allow configuration.
-# See /usr/share/doc/ntp-doc/html/accopt.html for details.
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery
restrict 127.0.0.1
restrict ::1
-# Clients from this (example!) subnet have unlimited access,
-# but only if cryptographically authenticated
-#restrict 192.168.123.0 mask 255.255.255.0 notrust
+# Clients from this (example!) subnet have unlimited access, but only if
+# cryptographically authenticated.
+#restrict 192.168.123.0 mask 255.255.255.0 notrust
+
# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 192.168.123.255
-# If you want to listen to time broadcasts on your local subnet,
-# de-comment the next lines. Please do this only if you trust everybody
-# on the network!
+# If you want to listen to time broadcasts on your local subnet, de-comment the
+# next lines. Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient
# - stack - max stack size (KB)
# - cpu - max CPU time (MIN)
# - nproc - max number of processes
-# - as - address space limit
+# - as - address space limit (KB)
# - maxlogins - max number of logins for this user
# - maxsyslogins - max number of logins on the system
# - priority - the priority to run user process with
# - locks - max number of file locks the user can hold
# - sigpending - max number of pending signals
# - msgqueue - max memory used by POSIX message queues (bytes)
-# - nice - max nice priority allowed to raise to
+# - nice - max nice priority allowed to raise to values: [-20, 19]
# - rtprio - max realtime priority
+# - chroot - change root to directory (Debian-specific)
#
#<domain> <type> <item> <value>
#
#@faculty soft nproc 20
#@faculty hard nproc 50
#ftp hard nproc 0
+#ftp - chroot /ftp
#@student - maxlogins 4
# End of file
# - stack - max stack size (KB)
# - cpu - max CPU time (MIN)
# - nproc - max number of processes
-# - as - address space limit
+# - as - address space limit (KB)
# - maxlogins - max number of logins for this user
# - maxsyslogins - max number of logins on the system
# - priority - the priority to run user process with
# - locks - max number of file locks the user can hold
# - sigpending - max number of pending signals
# - msgqueue - max memory used by POSIX message queues (bytes)
-# - nice - max nice priority allowed to raise to
+# - nice - max nice priority allowed to raise to values: [-20, 19]
# - rtprio - max realtime priority
+# - chroot - change root to directory (Debian-specific)
#
#<domain> <type> <item> <value>
#
#@faculty soft nproc 20
#@faculty hard nproc 50
#ftp hard nproc 0
+#ftp - chroot /ftp
#@student - maxlogins 4
# End of file
#
#kernel.domainname=example.com
#kernel.printk=4 4 1 7
-#net.ipv4.conf.default.forwarding=1
+#net.ipv4.conf.all.accept_redirects=0
+#net.ipv4.conf.all.accept_source_route=0
+#net.ipv4.conf.all.log_martians=1
+#net.ipv4.conf.all.rp_filter=1
+#net.ipv4.conf.all.send_redirects=0
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.icmp_echo_ignore_broadcasts=1
-#net.ipv6.conf.default.forwarding=1
-kernel.exec-shield=3
+#net.ipv4.icmp_ignore_bogus_error_responses=1
+#net.ipv4.ip_forward=1
+#net.ipv6.conf.all.accept_redirects=0
+#net.ipv6.conf.all.accept_source_route=0
+#net.ipv6.conf.all.forwarding=1
kernel.maps_protect=1
net.core.rmem_default=1048576
net.core.wmem_default=1048576
net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.ip_forward=0
net.ipv4.ip_local_port_range=10000 65000
-net.ipv4.tcp_congestion_control=cubic
net.ipv4.tcp_ecn=0
-net.ipv4.tcp_max_syn_backlog=8192
+net.ipv4.tcp_max_syn_backlog=1024
net.ipv4.tcp_retries1=2
net.ipv4.tcp_rfc1337=1
net.ipv4.tcp_syncookies=1
#
# /etc/sysctl.conf - Configuration file for setting system variables
+# See /etc/sysctl.d/ for additonal system variables
# See sysctl.conf (5) for information.
#
#kernel.domainname = example.com
-#net/ipv4/icmp_echo_ignore_broadcasts=1
# Uncomment the following to stop low-level messages on console
#kernel.printk = 4 4 1 7
# Functions previously found in netbase
#
-# Uncomment the next line to enable Spoof protection (reverse-path filter)
+# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
+# Turn on Source Address Verification in all interfaces to
+# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
+#net.ipv4.conf.all.rp_filter=1
# Uncomment the next line to enable TCP/IP SYN cookies
+# This disables TCP Window Scaling (http://lkml.org/lkml/2008/2/5/167),
+# and is not recommended.
#net.ipv4.tcp_syncookies=1
# Uncomment the next line to enable packet forwarding for IPv4
-#net.ipv4.conf.default.forwarding=1
+#net.ipv4.ip_forward=1
# Uncomment the next line to enable packet forwarding for IPv6
-#net.ipv6.conf.default.forwarding=1
+#net.ipv6.conf.all.forwarding=1
+
+
+###################################################################
+# Additional settings - these settings can improve the network
+# security of the host and prevent against some network attacks
+# including spoofing attacks and man in the middle attacks through
+# redirection. Some network environments, however, require that these
+# settings are disabled so review and enable them as needed.
+#
+# Ignore ICMP broadcasts
+#net.ipv4.icmp_echo_ignore_broadcasts = 1
+#
+# Ignore bogus ICMP errors
+#net.ipv4.icmp_ignore_bogus_error_responses = 1
+#
+# Do not accept ICMP redirects (prevent MITM attacks)
+#net.ipv4.conf.all.accept_redirects = 0
+#net.ipv6.conf.all.accept_redirects = 0
+# _or_
+# Accept ICMP redirects only for gateways listed in our default
+# gateway list (enabled by default)
+# net.ipv4.conf.all.secure_redirects = 1
+#
+# Do not send ICMP redirects (we are not a router)
+#net.ipv4.conf.all.send_redirects = 0
+#
+# Do not accept IP source route packets (we are not a router)
+#net.ipv4.conf.all.accept_source_route = 0
+#net.ipv6.conf.all.accept_source_route = 0
+#
+# Log Martian Packets
+#net.ipv4.conf.all.log_martians = 1
+#
+# The contents of /proc/<pid>/maps and smaps files are only visible to
+# readers that are allowed to ptrace() the process
+# kernel.maps_protect = 1
projects / carnet-upgrade.git / commitdiff