Monitoring Website Defacement with Nagios XI 2014

There’s a new wizard in town and I don’t mean Gandalf the White!  The Website Defacement Wizard is a new wizard available in the latest release of Nagios XI 2014.

One of the worst things a company can suffer PR-wise is website defacement. At best, it will require restoring the page, and at worst it can be a nightmare of log review, security patches, and damage control. Time is of the essence in such a situation, so being alerted as soon as possible is of utmost importance. That’s where the Website Defacement Wizard comes in handy.

The Website Defacement Wizard allows you to monitor a web page for certain keywords, either alerting if they are present in the case of offensive or spam-related words, or alerting if they are missing, which may indicate a whole-page defacement. We provide a few pre-defined lists of words you may wish to look for, sorted into categories such as Profanity and Gambling. You can also add your own words or phrases, or remove certain words if they might be expected on the page (such as “unisex” on a page discussing clothing). If you would rather check to ensure the existence of a word or phrase, the process is similar and will be described in this article.

So without further delay, let’s walk through setting up a check:

In the Nagios XI interface, go to the Configure tab and click Run the Monitoring Wizard. Scroll all the way down the page and click Website Defacement.

Website Defacement Wizard - Nagios XI

On this first page, you will enter the URL you would like to monitor. Be sure to specify the exact web page otherwise the default page will be used. Click Next.

The first few options on this page can probably be left as-is. The hostname can be configured as with most other wizards, and the Service Name Prefix will be prepended to all services created by the wizard as a means of identification. You can configure whether or not to use SSL and what port to use, as well as credentials if they are required.

The real meat of this page is the Defacement Monitoring Services section. There are two primary methods, and I will go over each in turn.

The first is the Defacement Content Locator and is useful for keeping an eye on pages with user-submitted content such as forums, guestbooks, and comment sections. You have three options here:

  1. Manually enter in your own list of words/phrases, one on each line
  2. Upload a text file containing a list of words/phrases, also one on each line
  3. Check the appropriate boxes for our pre-defined lists

Editing the keywords in the Nagios XI Website Defacement Wizard

You can mix and match each of the options, however in our example we simply used the Marketing wordlist.

The second is the Web Page Regular Expression Match. You might use this to detect a traditional defacement by watching a page to ensure that a word is found. In our example, we are simply looking for the word Nagios, since it should definitely appear on the page if it has not been defaced. You can also use regular expressions to specify a pattern to look for, and you can enter multiple search terms by separating them with the pipe character “|”.

Regular Expression Match in the Nagios XI Website Defacement Wizard

Once you have finished configuring the check, go ahead and click Next. From here you can customize the check settings like any other wizard, otherwise you can click Finish to apply the configuration. After the Apply Config has completed, we need to make one change to the services. Some sites will issue a HTTP 301 code which is just a simple redirect and can cause some issues with check_http-based checks. For this example we will need to add the “-f follow” switch to our two checks like so:

List of Defacement Services in the Nagios XI Website Defacement Wizard

Wordlist Match Check: Wordlist Match Service Detail - Website Defacement Monitoring in Nagios XI

Regular Expression Match Check:

Regular Expression Match Service Detail - Website Defacement Monitoring in Nagios XI

Then we will click Apply Configuration again.

Back on the Home page, we can look to the Service Detail sub-page for the new services and see the check results:

Check Results - Website Defacement Monitoring in Nagios XI

There you have it! Thankfully, it looks like our Nagios webpage has not been defaced.  As always, if you need any assistance setting up this or any other checks, please do not hesitate to visit us on the Nagios Support Forums.  View a full how-to document on using the Website Defacement Wizard at Monitoring Website Defacement With Nagios XI

This wizard come prepackaged with Nagios XI 2014. If you would like to try out the Website Defacement Wizard and see the latest version of Nagios XI 2014  in action, you can give it a test run by downloading Nagios XI 2014 here with a fully functional 60 day free trial.

Remember, Nagios World Conference 2014 is coming up in October. Register here for 10% off your conference pass. Act now, because this offer won’t last long!

Come see Trevor McDonald present at Nagios World Conference 2014

0 Responses to “Monitoring Website Defacement with Nagios XI 2014”


  • No Comments

Leave a Reply


8 × = twenty four