Skip to main content

Checking if SSH is responding with Prometheus

The blackbox_exporter allows for a variety of network checks to be performed, with many common modules available out of the box.

Prometheus is a whitebox monitoring system, ingesting metrics exposed from inside applications. Sometimes though you want to check how things look from the outside, which is to say blackbox monitoring. For this Prometheus offers the blackbox_exporter . As an example let's check for the SSH returning the banner.
First we run the blackbox exporter:
wget https://github.com/prometheus/blackbox_exporter/releases/download/v0.10.0/blackbox_exporter-0.10.0.linux-amd64.tar.gz
tar -xzf blackbox_exporter-*.linux-amd64.tar.gz
cd blackbox_exporter-*
./blackbox_exporter
If you visit http://localhost:9115/probe?target=127.0.0.1:22&module=ssh_banner  it'll test to see if SSH on the local machine is responding.
Now let's get Prometheus to use this:
wget https://github.com/prometheus/prometheus/releases/download/v2.0.0/prometheus-2.0.0.linux-amd64.tar.gz
tar -xzf prometheus-*.tar.gz
cd prometheus-*
cat <<'EOF' > prometheus.yml
global:
  scrape_interval: 10s
scrape_configs:
  - job_name: 'blackbox'
    metrics_path: /probe
    params:
      module: [ssh_banner]
    static_configs:
      - targets:
        - 127.0.0.1   # Targets to probe
    relabel_configs:
      # Ensure port is 22, pass as URL parameter
      - source_labels: [__address__]
        regex: (.*)(:.*)?
        replacement: ${1}:22
        target_label: __param_target
      # Make instance label the target
      - source_labels: [__param_target]
        target_label: instance
      # Actually talk to the blackbox exporter though
      - target_label: __address__
        replacement: 127.0.0.1:9115
EOF
./prometheus
You can now see the result of probe_success in the expression browser!
While this example only checks the local machine, you could get a list of targets from any service discovery method - for example EC2 or Consul instead of just static_configs.
The blackbox exporter includes some useful modules out of the box, such as HTTP, TCP, POP3S, IRC and ICMP. The config in blackbox.yml can be expanded to add additional modules that cater to your needs.
One nifty feature is that if a module ends up using TLS/SSL, the exporter will automatically expose when the cert chain will expire. This makes it easy to alert on soon to expire SSL certs.
Labels:

Comments

Post a Comment

https://gengwg.blogspot.com/

Popular posts from this blog

CKA Simulator Kubernetes 1.22

  https://killer.sh Pre Setup Once you've gained access to your terminal it might be wise to spend ~1 minute to setup your environment. You could set these: alias k = kubectl                         # will already be pre-configured export do = "--dry-run=client -o yaml"     # k get pod x $do export now = "--force --grace-period 0"   # k delete pod x $now Vim To make vim use 2 spaces for a tab edit ~/.vimrc to contain: set tabstop=2 set expandtab set shiftwidth=2 More setup suggestions are in the tips section .     Question 1 | Contexts Task weight: 1%   You have access to multiple clusters from your main terminal through kubectl contexts. Write all those context names into /opt/course/1/contexts . Next write a command to display the current context into /opt/course/1/context_default_kubectl.sh , the command should use kubectl . Finally write a second command doing the same thing into ...
Post a Comment
Read more

OWASP Top 10 Threats and Mitigations Exam - Single Select

Last updated 4 Aug 11 Course Title: OWASP Top 10 Threats and Mitigation Exam Questions - Single Select 1) Which of the following consequences is most likely to occur due to an injection attack? Spoofing Cross-site request forgery Denial of service   Correct Insecure direct object references 2) Your application is created using a language that does not support a clear distinction between code and data. Which vulnerability is most likely to occur in your application? Injection   Correct Insecure direct object references Failure to restrict URL access Insufficient transport layer protection 3) Which of the following scenarios is most likely to cause an injection attack? Unvalidated input is embedded in an instruction stream.   Correct Unvalidated input can be distinguished from valid instructions. A Web application does not validate a client’s access to a resource. A Web action performs an operation on behalf of the user without checkin...
2 comments
Read more