Re: Monit built-in Http log for fail2ban

Thu, 24 May 2012 02:23:04 -0700 

Hello Martin,
I am sorry for the delay...

I did find some time to take some tests so,  I did notice that syslog stopped 
for some reason logging these failed login attempts after some time, up to a 
date they were working ok...
I changed the logfile to a custom one that logs the events now.

Anyway, unfortunately since the logging comes in a form of " Warning: Client 
'127.0.0.1' supplied unknown user" there is no way to make it work. I should 
disable the proxy pass and the access the service from external ip so I can 
latter ban it...

Br Alex


From: Martin Pala 
Sent: Monday, April 30, 2012 5:15 PM
To: This is the general mailing list for monit 
Subject: Re: Monit built-in Http log for fail2ban


Hi,


the monit logfile is configured with "SET LOGFILE <path|SYSLOG>" … in your case 
the log goes to syslog, which decides to which file to log the message. Monit's 
internal webserver is proprietary implementation - it's not mongrel. The failed 
login attempts are logged with following messages:


    Warning: Client 'xyz' supplied unknown user 'cdb' accessing monit httpd
    Warning: Client 'xyz' supplied wrong password for user 'abc' accessing 
monit httpd


Regards,
Martin






On Apr 26, 2012, at 2:54 PM, Alex wrote:


  I have Setup monit on Centos system an I use on apache "ProxyPass /monit/ 
http://localhost:2812/"; in order to access it
  so the url is something like https://domanname/monit/

  I would like to know is it is possible to protect that url via fail2ban.
  I am searching to see if the - internal server ( mongerl as I read in the 
site) has some sort of log file for failed attempts like apaches "client 
<HOST>user  authentication failure" so I can catch them with a regex...

  I use on the config

  set daemon  60
  set logfile syslog facility log_daemon
  set mailserver localhost
  set mail-format { from: monit@domname }
  set alert admin@domname 
  set httpd port 2812 ADDRESS localhost and
       SSL DISABLE
       PEMFILE  /var/certs/monit.pem
       allow adminname:pass

  I did try to search for both the logs and mongerl proc but with not luck.
  Is there someone who would know how to achieve that or perhaps could think of 
something else!

  Br Alex


  --
  To unsubscribe:
  https://lists.nongnu.org/mailman/listinfo/monit-general




--------------------------------------------------------------------------------


--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general
--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general

Reply via email to