-
Notifications
You must be signed in to change notification settings - Fork 14
/
Copy pathmonit-install.sh
189 lines (156 loc) · 6.5 KB
/
monit-install.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
#!/bin/sh
# Instructions on how to use this script:
# chmod +x SCRIPTNAME.sh
# sudo ./SCRIPTNAME.sh
#
# SCRIPT: monit-install.sh
# AUTHOR: ALBERT VALBUENA
# DATE: 22-12-2021
# SET FOR: Production
# (For Alpha, Beta, Dev, Test and Production)
#
# PLATFORM: FreeBSD 12/13
#
# PURPOSE: This script installs the monit monitoring software on a FreeBSD system with Apache HTTP, MariaDB, PHP-FPM, Redis and Fail2ban monitorization on.
#
# REV LIST:
# DATE: 22-12-2021
# BY: ALBERT VALBUENA
# MODIFICATION: 22-12-2021
#
#
# set -n # Uncomment to check your syntax, without execution.
# # NOTE: Do not forget to put the comment back in or
# # the shell script will not execute!
##########################################################
################ BEGINNING OF MAIN #######################
##########################################################
# Change the default pkg repository from quarterly to latest
sed -ip 's/quarterly/latest/g' /etc/pkg/FreeBSD.conf
# Update packages (it will first download the pkg repo from latest)
# secondly it will upgrade any installed packages.
pkg upgrade -y
# Install monit
pkg install -y monit
# Get the service declared in /etc/rc.conf so it can be started at boot time
sysrc monit_enable="YES"
# Copy the sample configuration file into the main directory
cp /usr/local/etc/monitrc.sample /usr/local/etc/monitrc
# Configure monit processes
sed -i -e '/\/var\/run\/monit.pid/s/# set/set/' /usr/local/etc/monitrc
sed -i -e '/\/var\/.monit.id/s/# set/set/' /usr/local/etc/monitrc
sed -i -e '/\/var\/.monit.state/s/# set/set/' /usr/local/etc/monitrc
# Configure TLS
mkdir /usr/local/etc/monit.d
pkg install -y pwgen
MONIT_PWD=$(pwgen 32 --secure --numerals --capitalize) && export MONIT_PWD && echo $MONIT_PWD >> /root/monit_pwd.txt
chmod 400 /root/monit_pwd.txt
echo '
set ssl {
verify : enable, # verify SSL certificates (disabled by default but STRONGLY RECOMMENDED)
selfsigned : allow # allow self signed SSL certificates (reject by default)
}' >> /usr/local/etc/monitrc
sed -i -e '/enable SSL\/TLS and set path/s/#with/with/' /usr/local/etc/monitrc
sed -i -e '/pemfile/s/# pemfile: \/etc\/ssl\/certs\/monit.pem/pemfile: \/usr\/local\/etc\/monit.d\/server.pem }/' /usr/local/etc/monitrc
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /usr/local/etc/monit.d/server.key -out /usr/local/etc/monit.d/server.crt -subj "/C=ES/ST=StateName/L=CityName/O=OrganizationName/CN=example.com/[email protected]"
cat /usr/local/etc/monit.d/server.crt /usr/local/etc/monit.d/server.key > /usr/local/etc/monit.d/server.pem
chmod 400 /usr/local/etc/monit.d/server.pem
# Configure email for alerts:
sed -i -e '/receive all alerts/s/# set alert [email protected]/set alert [email protected]/' /usr/local/etc/monitrc
# Configure services monitoring
# Monitor Apache HTTP
echo '
check process apache with pidfile /var/run/httpd.pid
start program = "/usr/local/etc/rc.d/apache24 start" with timeout 60 seconds
stop program = "/usr/local/etc/rc.d/apache24 stop"
if cpu > 60% for 2 cycles then alert
if cpu > 80% for 5 cycles then restart
if totalmem > 700.0 MB for 5 cycles then alert
if children > 500 then alert
if disk read > 500 kb/s for 10 cycles then alert
if disk write > 500 kb/s for 10 cycles then alert
if 3 restarts within 5 cycles then unmonitor
group server
' >> /usr/local/etc/monit.d/monit.httpd
echo '
include /usr/local/etc/monit.d/monit.httpd
' >> /usr/local/etc/monitrc
# Monitor MySQL/MariaDB
echo '
check process mysqld with pidfile /var/run/mysql/mysqld.pid
start program = "/usr/local/etc/rc.d/mysql-server start" with timeout 60 seconds
stop program = "/usr/local/etc/rc.d/mysql-server stop"
if cpu > 60% for 2 cycles then alert
if cpu > 80% for 5 cycles then restart
if totalmem > 300.0 MB for 5 cycles then alert
if children > 150 then alert
if disk read > 500 kb/s for 10 cycles then alert
if disk write > 500 kb/s for 10 cycles then alert
if 3 restarts within 5 cycles then unmonitor
group server
' >> /usr/local/etc/monit.d/monit.mysqld
echo '
include /usr/local/etc/monit.d/monit.mysqld
' >> /usr/local/etc/monitrc
# Monitor PHP-FPM
echo '
check process php-fpm with pidfile /var/run/php-fpm.pid
start program = "/usr/local/etc/rc.d/php-fpm start" with timeout 60 seconds
stop program = "/usr/local/etc/rc.d/php-fpm stop"
if cpu > 60% for 2 cycles then alert
if cpu > 80% for 5 cycles then restart
if totalmem > 450.0 MB for 5 cycles then alert
if children > 175 then alert
if disk read > 500 kb/s for 10 cycles then alert
if disk write > 500 kb/s for 10 cycles then alert
if 3 restarts within 5 cycles then unmonitor
group server
' >> /usr/local/etc/monit.d/monit.php-fpm
echo '
include /usr/local/etc/monit.d/monit.php-fpm
' >> /usr/local/etc/monitrc
# Monitor Redis
echo '
check process redis with pidfile /var/run/redis/redis.pid
start program = "/usr/local/etc/rc.d/redis start" with timeout 60 seconds
stop program = "/usr/local/etc/rc.d/redis stop"
if cpu > 60% for 2 cycles then alert
if cpu > 80% for 5 cycles then restart
if totalmem > 300.0 MB for 5 cycles then alert
if children > 150 then alert
if disk read > 500 kb/s for 10 cycles then alert
if disk write > 500 kb/s for 10 cycles then alert
if 3 restarts within 5 cycles then unmonitor
group server
' >> /usr/local/etc/monit.d/monit.redis
echo '
include /usr/local/etc/monit.d/monit.redis
' >> /usr/local/etc/monitrc
# Monitor Fail2ban
echo '
check process fail2ban with pidfile /var/run/fail2ban/fail2ban.pid
start program = "/usr/local/etc/rc.d/fail2ban start" with timeout 60 seconds
stop program = "/usr/local/etc/rc.d/fail2ban stop"
if cpu > 60% for 2 cycles then alert
if cpu > 80% for 5 cycles then restart
if totalmem > 70.0 MB for 5 cycles then alert
if children > 35 then alert
if disk read > 500 kb/s for 10 cycles then alert
if disk write > 500 kb/s for 10 cycles then alert
if 3 restarts within 5 cycles then unmonitor
group server
' >> /usr/local/etc/monit.d/monit.fail2ban
echo '
include /usr/local/etc/monit.d/monit.fail2ban
' >> /usr/local/etc/monitrc
if monit -t = OK
then service monit start
else echo 'The monit configuration in /usr/local/etc/monitrc is wrong.'
fi
# Display the location of the generated root password for MySQL
echo "Your MONIT_PASSWORD has been written on this file /root/monit_pwd.txt"
# Final install message
echo '
Monit has just been installed in your system.
Configure the services and your options at will.
Read more in the main configuration file located in: /usr/local/etc/monitrc.'