Cockpit – PC Monitoring and Management

Cockpit 217 (license LGPL2.1, http://cockpit-project.org, https://github.com/cockpit-project/cockpit) is a web based server monitoring and management tool. As soon as you run multiple computers and servers for 24h at 365 days you wonder how can you monitor them. Cockpit doesn’t have a lot of dependencies, basically you just need a Linux system that is running systemd as a system and process manager:

sudo pacman -Sy cockpit

The required dependencies are installed automatically. Optionally you need udisks2 (to be replaced with storaged in the future, not yet available in Arch Linux) to show storage information, firewalld to configure the open ports of the firewall and packagekit to show installed and update packages.

sudo pacman -Sy udisks2 firewalld packagekit

If you want to enable the web interface permanently on a central access point server then run the following commands, but the second with your normal user:

sudo pacman -Sy cockpit-dashboard
systemctl enable --now cockpit.socket

The cockpit service/web interface is only required on one single/central server. All other remote servers with cockpit installed you can manage with this central instance. There is no need to enable there as well the cockpit.socket. If you connect from the central instance to a remote server it will spin up and down on demand the cockpit functionalities after creating the SSH tunnel.

The web interface is accessible in the browser:

localhost:9090

You can replace localhost with the IP address or a domain name. Connecting with a normal IP address of domain name will automatically change the connection to https.

If you use a SSH key with a password make sure that it is identical to the password that you use for the user to login to the central cockpit webfrontend, otherwise single sign in will not work and you always need to type in manually the password to connect to remote machines.

If you have linked multiple servers to your cockpit instance, you should backup the following file:

/etc/cockpit/machines.d/99-webui.json

Let’s Encrypt – Certbot Certificate – Manual

sudo certbot --manual --preferred-challenges dns certonly

Manual procedure example:

  • Get temporary FIX IP Address with all Ports (80/443) open and reachable from the internet
  • Add this fix IP to all domains
  • Add Textrecord for every domain to your domains, wait 1 minutes and then press enter, saved in /etc/letsencrypt/live/DOMAINNAME.com/
  • root: rm /etc/cockpit/ws-certs.d/DOMAINNAME.com.cert && cat /etc/letsencrypt/live/DOMAINNAME.com/fullchain.pem /etc/letsencrypt/live/cDOMAINNAME.com/privkey.pem > /etc/cockpit/ws-certs.d/DOMAINNAME.com.cert

Increase Security of Connections

By default cockpit is using gnutls with AES 128bit for compatibility. To increase security, do the following (https://gnutls.org/manual/html_node/Priority-Strings.html#Priority-Strings):

sudo mkdir /etc/systemd/system/cockpit.service.d sudo nano /etc/systemd/system/cockpit.service.d/ssl.conf
[Service] Environment=G_TLS_GNUTLS_PRIORITY=SECURE256:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:%COMPAT

TLS 1.3 will is available since gnutls 3.6. To check, if gnutls works correctly, run:

gnutls-cli --priority SECURE256:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+ECDHE-RSA:+ECDHE-ECDSA:%COMPAT -l                               
Cipher suites for SECURE256:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+ECDHE-RSA:+ECDHE-ECDSA:%COMPAT                                                      
TLS_ECDHE_RSA_AES_256_GCM_SHA384                        0xc0, 0x30      TLS1.2                                                                  
TLS_ECDHE_RSA_CAMELLIA_256_GCM_SHA384                   0xc0, 0x8b      TLS1.2                                                                  
TLS_ECDHE_RSA_CHACHA20_POLY1305                         0xcc, 0xa8      TLS1.2                                                                  
TLS_ECDHE_ECDSA_AES_256_GCM_SHA384                      0xc0, 0x2c      TLS1.2                                                                  
TLS_ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384                 0xc0, 0x87      TLS1.2                                                                  
TLS_ECDHE_ECDSA_CHACHA20_POLY1305                       0xcc, 0xa9      TLS1.2                                                                  
TLS_ECDHE_ECDSA_AES_256_CCM                             0xc0, 0xad      TLS1.2                                                                  
                                                                                                                                                
Certificate types: CTYPE-X.509                                                                                                                  
Protocols: VERS-TLS1.2                                                                                                                          
Compression: COMP-NULL                                                                                                                          
Elliptic curves: CURVE-SECP384R1, CURVE-SECP521R1                                                                                               
PK-signatures: SIGN-RSA-SHA384, SIGN-ECDSA-SHA384, SIGN-RSA-SHA512, SIGN-ECDSA-SHA512

Even though the above setup looks correct, cockpit didn’t consider the setup. Is this a bug?

2 Factor Authentication

If you want to make the cockpit web interface accessible from the internet, then you should use 2 factor authentication.
https://scottlinux.com/2017/05/13/enable-two-factor-auth-for-cockpit-with-google-authenticator

Install google-authenticator from AUR:

yay libpam-google-authenticator

Then run on the cental cockpit instance server the following command as a normal user and not as root or sudo to generate a secret key.

google-authenticator

It is recommended to answer to all security questions with yes.

You will see now a barcode on the terminal. Scan it with the mobile phone.

Write down all the shown security codes in a secure location.

Single Machine Monitoring Tools

There are some system tools than can be really helpful to measure and understand your system.

CPU: htop

GPU: radeontop

HDD/SDD: hdparm or iotop

hdparm –direct -tT /dev/XXX

Network: nmap

nmap -sP 192.168.1.0/24

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.