Cockpit 217 (license LGPL2.1, http://cockpit-project.org, https://github.com/cockpit-project/cockpit) is a web based server monitoring and management tool. As soon as you run multiple computers and servers for 24h at 365 days you wonder how can you monitor them. Cockpit doesn’t have a lot of dependencies, basically you just need a Linux system that is running systemd as a system and process manager:
sudo pacman -Sy cockpit
The required dependencies are installed automatically. Optionally you need udisks2 (to be replaced with storaged in the future, not yet available in Arch Linux) to show storage information, firewalld to configure the open ports of the firewall and packagekit to show installed and update packages.
sudo pacman -Sy udisks2 firewalld packagekit
If you want to enable the web interface permanently on a central access point server then run the following commands, but the second with your normal user:
sudo pacman -Sy cockpit-dashboard systemctl enable --now cockpit.socket
The cockpit service/web interface is only required on one single/central server. All other remote servers with cockpit installed you can manage with this central instance. There is no need to enable there as well the cockpit.socket. If you connect from the central instance to a remote server it will spin up and down on demand the cockpit functionalities after creating the SSH tunnel.
The web interface is accessible in the browser:
You can replace localhost with the IP address or a domain name. Connecting with a normal IP address of domain name will automatically change the connection to https.
If you use a SSH key with a password make sure that it is identical to the password that you use for the user to login to the central cockpit webfrontend, otherwise single sign in will not work and you always need to type in manually the password to connect to remote machines.
If you have linked multiple servers to your cockpit instance, you should backup the following file:
Let’s Encrypt – Certbot Certificate – Manual
sudo certbot --manual --preferred-challenges dns certonly
Manual procedure example:
- Get temporary FIX IP Address with all Ports (80/443) open and reachable from the internet
- Add this fix IP to all domains
- Add Textrecord for every domain to your domains, wait 1 minutes and then press enter, saved in /etc/letsencrypt/live/DOMAINNAME.com/
- root: rm /etc/cockpit/ws-certs.d/DOMAINNAME.com.cert && cat /etc/letsencrypt/live/DOMAINNAME.com/fullchain.pem /etc/letsencrypt/live/cDOMAINNAME.com/privkey.pem > /etc/cockpit/ws-certs.d/DOMAINNAME.com.cert
Increase Security of Connections
By default cockpit is using gnutls with AES 128bit for compatibility. To increase security, do the following (https://gnutls.org/manual/html_node/Priority-Strings.html#Priority-Strings):
TLS 1.3 will is available since gnutls 3.6. To check, if gnutls works correctly, run:
gnutls-cli --priority SECURE256:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+ECDHE-RSA:+ECDHE-ECDSA:%COMPAT -l Cipher suites for SECURE256:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+ECDHE-RSA:+ECDHE-ECDSA:%COMPAT TLS_ECDHE_RSA_AES_256_GCM_SHA384 0xc0, 0x30 TLS1.2 TLS_ECDHE_RSA_CAMELLIA_256_GCM_SHA384 0xc0, 0x8b TLS1.2 TLS_ECDHE_RSA_CHACHA20_POLY1305 0xcc, 0xa8 TLS1.2 TLS_ECDHE_ECDSA_AES_256_GCM_SHA384 0xc0, 0x2c TLS1.2 TLS_ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384 0xc0, 0x87 TLS1.2 TLS_ECDHE_ECDSA_CHACHA20_POLY1305 0xcc, 0xa9 TLS1.2 TLS_ECDHE_ECDSA_AES_256_CCM 0xc0, 0xad TLS1.2 Certificate types: CTYPE-X.509 Protocols: VERS-TLS1.2 Compression: COMP-NULL Elliptic curves: CURVE-SECP384R1, CURVE-SECP521R1 PK-signatures: SIGN-RSA-SHA384, SIGN-ECDSA-SHA384, SIGN-RSA-SHA512, SIGN-ECDSA-SHA512
Even though the above setup looks correct, cockpit didn’t consider the setup. Is this a bug?
2 Factor Authentication
If you want to make the cockpit web interface accessible from the internet, then you should use 2 factor authentication.
Install google-authenticator from AUR:
Then run on the cental cockpit instance server the following command as a normal user and not as root or sudo to generate a secret key.
It is recommended to answer to all security questions with yes.
You will see now a barcode on the terminal. Scan it with the mobile phone.
Write down all the shown security codes in a secure location.
Single Machine Monitoring Tools
There are some system tools than can be really helpful to measure and understand your system.
HDD/SDD: hdparm or iotop
hdparm –direct -tT /dev/XXX
nmap -sP 192.168.1.0/24