Hestia and Netdata

jtdoank · November 12, 2020, 4:21am

Hi All,

Any of you all have try installing hestia and netdata for monitoring
or perhaps, any suggest for server monitoring?

thanks all

Raphael · November 12, 2020, 5:23am

Using icinga2 with director module here, a bit hard to start with but absolute powerfull when you got it running.

eris · November 12, 2020, 5:53am

Using Icinga2 with director module for it after suggestion from @Raphael

Have made an templates for Nginx + PHP / FPM and an plugin to monitor Hestia with it.

falzo · November 12, 2020, 12:49pm

netdata can be run in parallel, no problem. just remember to open the port for the web-gui in the firewall settings

jtdoank · November 12, 2020, 1:37pm

@falzo
any idea how to secure it

jtdoank · November 12, 2020, 1:39pm

hehehe, yes it seems a bit hard to start.

Thanks

falzo · November 12, 2020, 1:47pm

hmm, I’d say you need to specify what you want to protect against whom or what to make a better suggestion

if you just do not want to have it public accessible, you could use the existing nginx to proxy it to outside world with basic auth instead fo allowing direct access to the port via firewall.

jtdoank · November 12, 2020, 4:25pm

nice idea thanks @falzo

Thering1975 · August 29, 2021, 6:26pm

Hi apologies for reviving an old thread, but rather than start a new one and if someone comes across this thread in the future like i did today then this may help.

I did try Netdata’s Reverse Nginx with password auth but could not get it to actually present basic auth. So i went the roundabout route as follows:

First Restrict Netdata to One IP
Netdata makes it’s webpage available to all and sundry by binding to all ports so first we shall restrict that.

So we edit:

sudo nano /etc/netdata/netdata.conf

scroll down to the WEB section and change the following

#bind to = localhost *

to

bind to = x.x.x.x

Where x.x.x.x. is your servers main static IP or secondary ip if you have it, note you must uncomment this line obviously

This ensures that netdata is not available everywhere and bypassing your firewall.

Now we get to restrict who can access this. This can be via ip or domain etc

so scroll down a bit more and you will find:

#allow connections from =

Uncomment this line if you are doing it by IP and enter the permitted IP you will access from (a static ip you have, i am using my self hosted vpn ip for example as that does not change)

Now you could skip the above step if you have a firewall running (why would you not) but too many checks can never be enough

Restart netdata:

systemctl restart netdata

So currently, netdata is only listening on the main IP and is now behind the firewall and is not available to anyone even your ip you specified at this moment in time.

So all you need to do is open the port in your firewall and boom, netdata available only to you.

But if you are paranoid then restrict access to that port in your firewall to the same static IP you listed above.

If Using CSF (why wouldn’t you be?) you can do that by scrolling and clicking the CSF Web UI to “FIREWALL ALLOW IP’s” and add:

tcp|in|d=19999|s=x.x.x.x

Where x.x.x.x is the static IP you stated in step 2 above. then save and restart CSF

I will try the nginx server block again at some point but to be honest, this was quick and easy to do, and works so job done

system · September 28, 2021, 6:27pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.