Monitor Website Defacement With Nagios XI - How to do it ?

Website defacement is an attack on a website that changes the visual appearance of the site or a webpage.

The Website Defacement Wizard provides an automated method for monitoring your website for

defacement, and notifies you when your website contains undesirable content

Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to perform related Nagios queries.

In this context, we shall look into how to monitor Website Defacement.

Monitor Website Defacement With Nagios XI

To begin, the Website Defacement Wizard provides an automated method for monitoring our website for defacement and notify us when our website contains undesirable content.

Here, we will use the Website Defacement Wizard to monitor our websites for defacement, modification and malicious insertions with Nagios XI.

Points to Consider when monitoring a website for defacement:

  • The Website Defacement wizard uses a regular expression check to search for a specific string or multiple strings.
  • Strings do not have to be case sensitive and each one should be separated by a new line.
  • There are a few pre-defined lists of words we may want to search for, sorted into categories.
  • We can also load a custom wordlist file into the wizard for each site we want to monitor.
  • There is also a regular expression match check to verify that the website we are monitoring is up and running. But this is strictly optional and may be redundant if we are already monitoring this website with Nagios XI.

About the Website Defacement Wizard ?

Basically, Website Defacement wizard uses the regular expression check to find a specific string that we do not want to appear on our website.

To begin using the Website Defacement wizard, navigate via the top menu bar to Configure > Run a configuration wizard and select the Website Defacement wizard.

Step 1:

  • Enter the URL of the website we want to monitor into the URL to Monitor field.
  • This can be the main page of the website or any specific sub-page we want to monitor.
  • Then, click next.

Step 2:

Here is where the majority of the configuration takes place and is broken up into multiple sections.

URL Details specifies the following:

  • Host Name is the standard Nagios host name.
  • Service Name Prefix is a string that will be added to the beginning of any services created by the wizard for easier identification.
  • IP Address allows us to specify a different IP from the one that was auto-detected for the URL.

URL Options specifies the following:

  • Use SSL and Port can be configured in case HTTP/S are running on alternative ports.
  • On Redirect allows us to define how to handle redirected pages.
  • Credentials allow us to specify a username and password for use in basic HTTP authentication.

Defacement Monitoring Services allows us to select which defacement methods we would like to use to monitor our website.

Website Defacement service will be created once we check the box next to Defacement Content Locator.

The Defacement Content Locator allows us to enter a list of words which should be considered "bad" if they appear on the page:

  • Enter each line enter in a list of words manually.
  • Also, upload a custom text file of words.
  • We can choose from the pre-defined lists of default words from different categories.

Web Page Regular Expression Match allows us to check that the content of the webpage includes specific words or expressions.

Web page Regex Match service will create, If we check the box next to Web Page Regular Expression Match.

Then, we will enter a string we wish to search for on the website.

If the entered string does not appear on our website, we will receive an alert.

We can also choose to invert the search by checking the Invert Regex Search check box.

Step 3:

Once we have finish making our selections, click Next and then complete the wizard by choosing the required options.

Step 4:

  • To finish up, click on Finish in the final step of the wizard, this will create the new hosts and services and begin monitoring.
  • Click the View status details for our web server link to see the new host and services that were create, after wizard applies the configuration.

How to fix the error, "301 Moved Permanently – pattern not found" while we Monitor Website Defacement With Nagios XI ?

The error "301 Moved Permanently – pattern not found" implies that Web Page Regex Service is in a critical state, whereas the Website Defacement Service is in an OK state.

However, we need to correct the error "301 Moved Permanently – pattern not found" for the service to function properly.

Some sites will issue a HTTP 301 code which is just a simple redirect and can cause some issues with the check_http plugin.

i. We have to adjust the "-f xxxx" switch on the services to use the follow argument.

ii. Locate the services by navigating to Configure > Core Config Manager > Monitoring > Services.

iii. Click the services in the Service Name column to begin editing it:

If $ARG3$ has the value "-f ok", change "ok" to "follow".

iv. Now $ARG3$ has the value:

-f follow

v. Click Save to save the changes.

vi. Repeat this for any other services that need updating and then click Apply Configuration to make the changes go into production.

vii. Once the configuration has applied, view the services. After they have performed a check with the new setting, they should be working correctly.

[Need help with the procedures with Nagios? We are here for you. ]


This article covers how to Monitor Website Defacement With Nagios. Basically, Nagios XI can monitor for potential Website defacement using the Website Defacement monitoring wizard. 

Benefits of Website Defacement Detection:

  • Fast detection of security breaches.
  • Fast detection of outages and website hijacking.
  • Increased website and web application availability.
  • Capacity planning information for future web server and application upgrades.