Extmon

Purpose

Extmon is used as an external Icinga2 agent that monitors the availability of CAcert service from the Internet. The system is sponsored by Jan Dittberner and is running on a Hetzner cloud instance in Germany.

Application Links

Service checks executed by extmon

Administration

System Administration

• Primary: Jan Dittberner

• Secondary: None

Application Administration

Application	Administrator(s)
Icinga 2 agent	Jan Dittberner

Contact

• extmon-admin@cacert.org

Additional People

No other people have sudo access on that machine.

Basics

Physical Location

This system is a virtual KVM machine hosted on a Hetzner cloud server in Nürnberg, Germany.

Physical Configuration

• 1 VCPU

• 2 GB RAM

• 20 GB local disc

Logical Location

IP Internet:

116.203.192.12

IPv6:

2a01:4f8:c2c:a5b9::1

MAC address:

96:00:00:2c:89:82 (eth0)

See also

See Network

Monitoring

internal checks:

Monitoring checks for extmon.infra.cacert.org

DNS

The system has no DNS entries.

Operating System

• Debian GNU/Linux 11 Bullseye

Services

Listening services

Port	Service	Origin	Purpose
22/tcp	ssh	ANY	admin console access
25/tcp	smtp	local	mail delivery to local MTA
68/udp	dhcp	hetzner	dynamic network configuration
5665/tcp	icinga2	monitor	remote monitoring service

Running services

Service	Usage	Start mechanism
cron	job scheduler	systemd unit cron.service
dbus-daemon	System message bus daemon	systemd unit dbus.service
Exim	SMTP server for local mail submission	systemd unit exim4.service
icinga2	Icinga2 monitoring agent	systemd unit icinga2.service
openssh server	ssh daemon for remote administration	systemd unit ssh.service
Puppet agent	configuration management agent	systemd unit puppet.service
rsyslog	syslog daemon	systemd unit rsyslog.service

Databases

• None

Connected Systems

• Monitor

Outbound network connections

• DNS (53) Hetzner cloud nameservers

• Puppet (tcp/8140) as Puppet master

• checked CAcert systems on publicly opened ports

Security

SSH host keys

Algorithm	Fingerprints
RSA	SHA256:pRCCUOzQbNf2MSDyq3mt/zCYrf9Cowo0tUp+cLcP5ZU, MD5:89:07:d2:68:02:37:73:86:a3:f0:53:46:e9:93:3c:b5
DSA	SHA256:qQmdmDcCrj9CgGK/LsT0zz8d90wCmn0HlSmt9WRqIF8, MD5:8c:f0:fa:e2:18:98:22:fb:ae:ed:c3:84:78:0e:70:5f
ECDSA	SHA256:+5X1KhHfqCSfVzNhT6xXpKYwsS/bZvI5rOM7hPogcWo, MD5:f3:65:d0:12:a6:e9:cc:91:f4:55:32:c0:ca:75:59:17
ED25519	SHA256:lxUPfNgUMZ/JrZHVG9Qc33x7vqyKGgmIJ54rgx+dZow, MD5:39:b7:17:91:05:2d:1c:ad:4b:5a:5e:e0:e6:01:2c:a5

See also

SSH host key list

Dedicated user roles

• None

Non-distribution packages and modifications

The Puppet agent package and a few dependencies are installed from the official Puppet APT repository because the versions in Debian are too old to use modern Puppet features.

Risk assessments on critical packages

The system provides no public services besides an Icinga2 agent that executes commands sent from Monitor.

Critical Configuration items

The system configuration is managed via Puppet profiles. There should be no configuration items outside of the CAcert Git repository cacert-puppet.

Keys and X.509 certificates

• None

Tasks

Add a service to be checked by extmon

Service monitoring is configured in the CAcert Git repository cacert-icinga2-conf_d.

All checks for services on hosts with the following block will be executed by extmon:

vars.external = true

Changes

Planned

• None

System Future

• No plans

Additional documentation

• None

References

• https://icinga.com/docs/icinga2/latest/