Avoid False Positives with Pingdom

pingdom_thumb

It’s been over half a year since my last post and I still remember my promise about adding a technical entry. What I want to write about today is how to avoid (or at least limit) false positives generated by the awesome uptime checker Pingdom.

For this example, I will be using arguably the most popular firewall used for standard cPanel web servers: ConfigServer Security and Firewall (available at http://configserver.com/cp/csf.html), commonly referred to as CSF.

In summary, here is the problem:

  • Pingdom’s IP Addresses must be added to your firewall rules in order to avoid them from becoming blocked, otherwise this leads to false positives.
  • Pingdom will occasionally add new IP Addresses / check locations and these must then be integrated with the firewall rules as quickly as possible.
  • The use of a firewall allow list which is maintained by hand is far too labour intensive when multiple server configurations must be updated.

The solution? A search online reveals that Pingdom provides a realtime list of checker IP Addresses as an RSS feed: https://my.pingdom.com/probes/feed So far so good.

Further searching revealed a method involving the use of CSF’s “GLOBAL_ALLOW” setting which is then used in conjunction with this RSS feed. CSF can add the IP Addresses to its allow list but this is not ideal in my opinion because a file will need to be hosted either from the local server’s htdocs or a remote web server which can be used as a source for all servers to gather the IP Addresses. This latter implementation poses security concerns because that central server will have influence over the firewall rules of all other servers which collect the Pingdom IP Address list from it.

A simple one liner below can be used as a cronjob instead presents a far more elegant solution:

/usr/bin/wget --quiet -O- https://my.pingdom.com/probes/feed | grep "pingdom:ip" | sed -e 's|</.*||' -e 's|.*>||' | xargs -n 1 /usr/sbin/csf -a

It would also be a good idea to list pingdom.com in /var/cpanel/commondomains in order to prevent a user from creating it as a domain name and then using it as a mechanism for manipulating the server’s firewall rules.

3 comments

  1. Chris says:

    Hi,

    Thanks for sharing, but the following command doesn’t work…

    /usr/bin/wget –quiet -O- https://my.pingdom.com/probes/feed | grep “pingdom:ip” | sed -e ‘s|||’ | xargs -n 1 /usr/sbin/csf -a

    Gives…

    ###########################
    add failed: [] is not a valid IP/CIDR
    ###########################

  2. admin says:

    It’s no problem, it really helps against false positives.

    A quick glanceover shows that your command does not match the one which I gave exactly. What you could also try is disabling SSL verification as follows:

    /usr/bin/wget --no-check-certificate --quiet -O- https://my.pingdom.com/probes/feed | grep "pingdom:ip" | sed -e 's|||' | xargs -n 1 /usr/sbin/csf -a

Leave a Reply

Your email address will not be published.

*