Simplifying Patch Management with PatchMon: An Open-Source Solution for Linux and Windows

How many of you use patch management systems? Or at least, how important is patch management within your lab?

I'm Dimitri Bellini, and today we aren't just talking about corporate enterprise environments—we are talking about the homelab and hobbyist world, too. Managing patches on Linux and Windows machines is not always an easy task. While there are many mature solutions out there, they are often bulky, expensive, or strictly focused on a single operating system. That's why today, we are going to explore PatchMon, a highly interesting, completely open-source solution.

But first, remember our philosophy: Open Source is knowledge, zero passwords, only the truth without appearance. Nothing is hidden in the cloud, the substance counts. Quadrata, creators of solutions.

What is PatchMon?

PatchMon is a cross-platform patch management platform designed to secure your infrastructure. With security compliance topics like the NIS2 directive becoming increasingly hot, keeping your machines updated is critical. PatchMon aims to bridge the gap by offering a unified dashboard to monitor and update your entire infrastructure, whether it runs Linux, FreeBSD, or Windows.

If you look at their GitHub repository, you will see a very active community with a healthy lifecycle of regular patch releases. While the developers offer a paid cloud version, the core software is completely open-source and free to self-host.

A Smart, Agent-Based Architecture

What makes PatchMon stand out compared to other tools? Many traditional patch managers require SSH connections, Windows Remote Management (WinRM), VPNs, or complex firewall rules. PatchMon takes a refreshingly modern approach.

The solution consists of a central server component (hosted on your infrastructure) and a lightweight agent installed on your endpoints. The agent, written in Go for optimal performance, establishes an outbound HTTPS connection to the server. This acts as a secure bridge, meaning you don't need to open any inbound ports on your local machines.

Installation: Docker and Proxmox Friendly

Deploying PatchMon is incredibly straightforward. I installed it using their suggested Docker method. By downloading their setup script, it automatically pulls the Docker Compose file, asks a few customization questions (like your IP address and timezone), and spins up the environment.

If you are a Proxmox VE user, there is even better news! The community has released a ready-to-use LXC (Linux Container) template for PatchMon. You don't even need to set up a Docker host—just deploy the LXC on Proxmox, and you are ready to go.

Key Features of PatchMon

Once you boot up the dashboard, you are greeted with a clean, well-organized interface that provides a bird's-eye view of your hosts, outdated packages, and systems requiring a reboot. Here are some of the standout features:

Web-Based SSH and RDP Proxy

One of my absolute favorite tricks in PatchMon is the ability to use the installed agent as a proxy for remote access. Directly from your web browser, you can open an SSH or RDP session to your managed machines.

In my testing, the SSH connection worked flawlessly. The RDP feature, which utilizes Apache Guacamole under the hood, is functional but feels a bit weak and could use some further tuning from the developers to be perfect.

My Experience: Quirks and Workarounds

While PatchMon is fantastic, it is still a growing project with a few youth quirks. For instance, when creating a Patch Policy, the process of assigning specific patches to a machine or group wasn't entirely intuitive—it felt a bit like an "all or nothing" approach.

Additionally, if you are deploying the agent on a Windows environment, be prepared for a minor hiccup. The installation relies on a PowerShell script. Depending on your system's execution policies, Windows might block the script. I had to temporarily bypass the execution policy to get the agent running.

Finally, the remote proxy features are disabled by default for security reasons. To use them, you must manually edit the configuration files on your endpoints:

Final Thoughts

Is PatchMon a fully-fledged enterprise solution? Probably not for highly critical, zero-downtime environments just yet. However, is it an incredibly interesting software with brilliant ideas? Absolutely.

For a homelab, a small business, or a testing environment, it is a fantastic tool that saves you from overcomplicating your life with heavier software. I highly recommend deploying it in your lab, testing its capabilities, and sharing your feedback with the developers. They are enthusiasts just like us, and community input is what makes open-source software thrive. Don't forget to drop a star on their GitHub repository!

Let me know in the comments what you think about PatchMon. Are there other robust patch management solutions you prefer? Let's discuss, and maybe we can try them out together in a future post.

That's all for today! A big greeting from Dimitri, and I'll see you next week. Bye everyone!

Stay Connected

If you enjoyed this content, make sure to support the channel and join our community: