So TL;DR Haproxy has a builtin prometheus-exporter now: https://github.com/haproxy/haproxy/tree/master/contrib/prometheus-exporter I’ve been maintaining a Kubernetes cluster at home for dev-work and one of the more recent things I did was spool up some monitoring IE Grafana and Prometheus. By the way the prometheus-operator ( https://github.com/coreos/prometheus-operator ) from the former coreos folks is works perfectly for this. So, I’ve been slowly going through different cluster components and adding scrapers and exporters. And, one of the recent targets has been my cluster control plane load-balancer and vip (haproxy+keepalived) so I’ve been looking into exporters.
Disclamer; this is not a complete list, and should only be used a starting point to sanity check new Virtual Server deployments. Change your default SSH Port Disable root ssh Disable ssh password auth Enable IPTables/nftables Configure IPTables Enable two factor auth in pam Properly setup sudo Setup yubikey and/or google-authenticator Disable TLSv1, SSLv2, and SSLv3 on all of your services Enforce decent crypto algorithms Enable auditd Enable and configure SELinux Configure services to run on private addresses, (127.
I’ve been hosting my own DNS for a while now. Going on.. hmmm… let’s see I started that job in 2011 and I had been hosting from home… probably 9 years. And I have a confession, I made a rookie mistake. My name servers didn’t match my registrar’s glue records. Essentially, a glue record is the NS records your registrar provides to find your name servers. My bad… seems that some of my secondary domains have been missing email for awhile now.