Graphing your PowerDNS services with Metronome, part 2

Posted on by Tom Laermans

In a previous post, I’ve discussed Metronome, a lightweight graphing framework for PowerDNS services (authoritative server, recursor, dnsdist).

In this post, I’ll be documenting how to secure this setup, as in the default configuration, there is no TLS encryption, and anyone can send data to your daemon. I will assume everything has been installed as per the previous post and has been verified to work correctly.

This post will help you add TLS transport encryption, set a password so only authorized users can actually access the statistics web pages, and make sure only your desired DNS servers are able to send statistics to your Metronome instance.

TLS

For this first step you’ll need a valid certificate for your webserver; you can get one from Let’s Encrypt. I’ve touched upon it before in this blog, but actually getting the certificate is out of scope for this article.

Start by changing your /opt/metronome/html/local.js file and point it to the HTTPS version of your website, tacking on the /metronome path at the end:

"use strict";
var metronomeServer="https://metronome.boxed-it.com/metronome/";

Then, we reconfigure the Apache virtual host configuration in /etc/apache2/sites-available/metronome.example.com:

<VirtualHost *:80>
  ServerName metronome.example.com
  Redirect / https://metronome.example.com/

  ErrorLog /var/log/apache2/metronome-error.log
  CustomLog /var/log/apache2/metronome-access.log combined

  LogLevel alert
  ServerSignature Off
</VirtualHost>

<Virtualhost *:443>
  ServerName metronome.example.com

  SSLEngine On
  SSLCertificateFile /etc/letsencrypt/live/*.example.com/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/*.example.com/privkey.pem

  DocumentRoot /opt/metronome/html

  <Directory /opt/metronome/html>
    Require all granted
  </Directory>

  ProxyPass /metronome/ http://127.0.0.1:8000/

  ErrorLog /var/log/apache2/metronome-error.log
  CustomLog /var/log/apache2/metronome-access.log combined

  LogLevel alert
  ServerSignature Off
</VirtualHost>

This configuration will also tunnel the data served by the Metronome daemon’s built-in web server through Apache, including encryption support.

Next, we’ll enable the required Apache modules, and reload Apache to use the new configuration:

a2enmod proxy_http
a2enmod ssl
systemctl reload apache2

Securing the Metronome web server port

Currently, Metronome’s built in webserver is listening on port 8000 on all interfaces, if you leave this open, anyone will be able to bypass the Apache server’s security configuration.

To resolve this, edit /etc/systemd/system/metronome.service and replace its contents with the following (changes in bold):

[Unit]
Description=PowerDNS Metronome
After=network.target

[Service]
User=metronome
ExecStart=/opt/metronome/bin/metronome --daemon=0 --stats-directory=/opt/metronome/stats --disable-syslog --webserver-address=127.0.0.1

[Install]
WantedBy=multi-user.target

Then, to apply, restart Metronome:

systemctl restart metronome

Now, the web server (serving the statistics themselves) can only be accessed through Apache.

Adding authentication to the Metronome server

Encrypting the data transfer to your Metronome server is only half of the job, you probably still want to add some authentication so not just anyone can access your Metronome instance.

Create a password file using the following command (it will prompt for the password):

htpasswd -c /etc/apache2/metronome.htpasswd yourusername

This will create a new password file. If you want to add extra users, use the same command but remove the -c parameter. Otherwise you’ll just recreate the file with a single user inside!

Adjust the Apache virtual host configuration in /etc/apache2/sites-available/metronome.example.com again (changes in bold):

<VirtualHost *:80>
  ServerName metronome.example.com
  Redirect / https://metronome.example.com/

  ErrorLog /var/log/apache2/metronome-error.log
  CustomLog /var/log/apache2/metronome-access.log combined

  LogLevel alert
  ServerSignature Off
</VirtualHost>

<Virtualhost *:443>
  ServerName metronome.example.com

  SSLEngine On
  SSLCertificateFile /etc/letsencrypt/live/*.example.com/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/*.example.com/privkey.pem

  DocumentRoot /opt/metronome/html

  <Directory /opt/metronome/html>
    AuthType Basic
    AuthName "Metronome"
    AuthUserFile /etc/apache2/metronome.htpasswd
    Require valid-user
  </Directory>

  ProxyPass /metronome/ http://127.0.0.1:8000/

  ErrorLog /var/log/apache2/metronome-error.log
  CustomLog /var/log/apache2/metronome-access.log combined

  LogLevel alert
  ServerSignature Off
</VirtualHost>

Apply the configuration by reloading the Apache configuration:

systemctl reload apache2

Now, your browser will prompt you for your username and password, after which Metronome will continue to work as usual.

Firewalling the Carbon port

The last hurdle is Metronome’s Carbon port, on which it receives the data from the remote systems. This should normally not be open to the whole world. You can configure the iptables firewall on the Metronome host to close this port to everyone but your DNS servers. I myself use Puppet to configure these rules, but this is how you do it standalone:

iptables -I INPUT -p tcp --dport 2003 -j REJECT
iptables -I INPUT -p tcp --dport 2003 -s 192.168.53.3 -j ACCEPT
iptables -I INPUT -p tcp --dport 2003 -s 192.168.53.4 -j ACCEPT
iptables-save
ip6tables -I INPUT -p tcp --dport 2003 -j REJECT 
ip6tables-save

Alternatively, you could just open up the port to a specific IP range:

iptables -I INPUT -p tcp --dport 2003 -j REJECT
iptables -I INPUT -p tcp --dport 2003 -s 192.168.53.0/24 -j ACCEPT
iptables-save
ip6tables -I INPUT -p tcp --dport 2003 -j REJECT 
ip6tables-save

Note that I’ve also closed off IPv6 as well as IPv4, as the Metronome daemon will listen on both address families – you can of course also add ACCEPT lines for hosts using IPv6 for statistics.

Finally

That’s it! Your Metronome instance is up and running, restarts upon system reboot, is collecting data, access has been secured with TLS and authentication. When you add a new server, don’t forget to add a line to the firewall configuration; it’ll then automagically appear in the dropdown on the Metronome web interface (you’ll have to refresh the page though if you had it open) and start showing graphs.

Pleas don’t hesitate to comment below in case of issues, errors or tips to improve!

Writing informative technical how-to documentation takes time, dedication and knowledge. Should my blog series have helped you in getting things working the way you want them to, or configure certain software step by step, feel free to tip me via PayPal (paypal@powersource.cx) or the Flattr button. Thanks!