Install Secure Monit for Home Media Server Monitoring

monit-logoMonitoring Linux systems securely is important for home media server management.  Use Monit to monitor your media server services and send email alerts if things have gone wrong. I personally use secure Monit on my web servers and media servers with https so nobody can sniff my password. Monit has a very powerful configuration syntax that allows a flexible way to monitor the health of all of your usenet, torrent or media server services.

I have already shown how to monitor Plex Media Server and restart it automatically if the Plex process has stopped in this guide. This monit tutorial shows you how to install monit securely on Ubuntu and Debian systems. I also show you how to use your gmail account to send monit alerts from your home media server. This is a monit installation using https and your own self-signed certificate.

Updated January 26, 2016 fixed mail settings and sudo omissions

monit-media-server-monitor-wm

Install Secure Monit to Monitor Home Media Server

Here is what the Monit configurations essentially do for each service

  • Monitors the existence of the pid file, if it is no longer present the program is restarted
  • Tests if port or unix socket is open on the loopback address
  • Tests if a URL is accessible and returns specific content

I have already prepared a thorough guide for most media server programs posted here.

Secure Monit with SSL Certificate

We need an SSL certificate for Monit in order to look at the Monit web interface securely.

Install OpenSSL

sudo apt-get install openssl -y

Create certs folder

sudo mkdir -p /var/certs

Generate a key, you can enter the information it prompts for if you want but it is not necessary, you can just leave it blank.

If you want to increase the validation period increase 365 to something like 36500 (100 years).

sudo openssl req -new -x509 -days 365 -nodes -out /var/certs/monit.pem -keyout /var/certs/monit.pem

Modify the permissions to prevent this error

monit: The SSL server PEM file '/var/certs/monit.pem' must have permissions no more than -rwx------ (0700); right now permissions are -rw-r--r-- (0644).
/etc/monit/monitrc:124: Error: SSL server PEM file permissions check failed 'allow'

This command changes the permissions of the monit ssl certificate

sudo chmod 0700 /var/certs/monit.pem

Install Monit from Repository

Easy as always straight from the repository

sudo apt-get install monit -y

Backup the old Monit configuration

sudo mv /etc/monit/monitrc /etc/monit/monitrc.bak

Open the Monit configuration

sudo nano /etc/monit/monitrc

Paste the block below while making appropriate changes

This Monit configuration assumes you are using a gmail account for sending and receiving notifications

You will need to uncomment the lines under Mail settings by deleting the # to activate them

Set the username “htpc” and password “guides” to your gmail credentials

Set alert to the email address you wish to receive the monit emails on, when using Google set it to allow insecure apps (other solutions here). This is disabled by default so remove the # to enable it.

The http settings are for setting the port and address for Monit to listen on

If you do use free Dynamic DNS then comment out the allow 0.0.0.0 line by preceding with # and uncomment (remove #) for the allow htpcguides.crabdance.com line. This will effectively whitelist only your home IP to access Monit.

You should change the allow htpc:guides to the username and password you want to use to access Monit.

If you don't use Dynamic DNS then comment that line out with a # symbol.

  set daemon 60 #check services every 60 seconds
  set logfile /var/log/monit.log
  set idfile /var/lib/monit/id
  set statefile /var/lib/monit/state

#Event queue
  set eventqueue
      basedir /var/lib/monit/events # set the base directory where events will be stored
      slots 100                     # optionally limit the queue size

#Mail settings
# set mail-format {
#     from: monit@$HOST
#  subject: monit alert --  $EVENT $SERVICE
#  message: $EVENT Service $SERVICE
#                Date:        $DATE
#                Action:      $ACTION
#                Host:        $HOST
#                Description: $DESCRIPTION
#
#           Your faithful employee,
#           Monit } 
#  set mailserver smtp.gmail.com port 587 
#     username "htpc" password "guides"
#  using TLSV1 with timeout 30 seconds
#  set alert htpcguides@gmail.com #email address which will receive monit alerts

#http settings
 set httpd port 2812 address 0.0.0.0  # allow port 2812 connections on all network adapters
    ssl enable
    pemfile  /var/certs/monit.pem
    allow 0.0.0.0/0.0.0.0 # allow all IPs, can use local subnet too
#    allow htpcguides.crabdance.com        # allow dynamicdns address to connect
    allow htpc:"guides"      # require user htpc with password guides

#allow modular structure
    include /etc/monit/conf.d/*

Ctrl+X, Y and Enter to save

Modify permissions of the new monit configuration to avoid this error

The control file '/etc/monit/monitrc' must have permissions no more than -rwx------ (0700); right now permissions are -rw-r--r-- (0644).

Fix the permissions

sudo chmod 0700 /etc/monit/monitrc

Test monit syntax is correct for the configuration file

sudo monit -t

You should see the OK below, if you don't it's ok, it probably means you are on Debian Jessie or Ubuntu 15.x and later

Control file syntax OK

Then restart Monit

sudo service monit restart

Now open a browser and go to your local ip with https not http: https://ip.address:2812 and enter your log in credentials (in the example htpc with password guides) to make sure the base install of Monit is working.

New Monit guides will be posted for monitoring different services.

For those of you using reverse proxies, it is easy to add Monit to nginx or Apache.