We’re big into monitoring for servers, networks, services and reporting, and we use Pingdom for a number of uptime and response monitoring services.
Pingdom have a number of servers around the world which perform their monitoring. As we like to be as secure as possible, we usually implement a firewall on our Linux servers, and this means that the firewall rules must be updated when Pingdom (or any other service) brings a new monitoring server online.
We don’t like doing things manually, so we implemented a set of simple scripts to backup, generate and automatically update our firewall rules based on Pingdom’s RSS feed of their monitoring servers. Hopefully these will help you, too.
We have a script which runs daily under cron, called update_pingdom_servers.sh :
#!/bin/bash # Update the pingdom firewall rules based on their feed /usr/bin/wget https://www.pingdom.com/rss/probe_servers.xml -O /root/probe_servers.xml -o /dev/null /bin/cat /root/probe_servers.xml | grep IP | sed -e 's/.*IP: //g' | sed -e 's/; Host.*//g' | grep -v IP > /root/pingdom_ips /bin/rm /root/pingdom_smtp_rules.sh for ip in `cat /root/pingdom_ips` do /bin/echo "iptables -D ufw-user-input -s $ip -p tcp --dport 25 -j ACCEPT" >> /root/pingdom_smtp_rules.sh /bin/echo "iptables -A ufw-user-input -s $ip -p tcp --dport 25 -j ACCEPT" >> /root/pingdom_smtp_rules.sh done TODAY=`date +%a%d%b%Y` iptables-save > /root/firewall.rules.$TODAY find /root -type f -mtime +7 -name firewall.rules.\* -print | xargs rm -f sh /root/pingdom_smtp_rules.sh
As you can see from the last line, we then execute pingdom_smtp_rules.sh which was generated from pingdom_ips and has the list of iptables commands to update the firewall in the ufw-user-input chain. If there is every a problem we keep 7 days of firewall rule backups in /root so that previous versions of the rules can easily be restored.