I've looked failures logged and I see it's recording source traffic IP
but not visitor's one if it comes through a proxy (X-Forwarded-For):

$ sudo cat /var/log/monitorix-httpd | grep -ie AUTHERR
Thu Apr  2 16:14:35 2020 - AUTHERR - [192.168.1.33] Authentication
error: /monitorix/

This will produce fail2ban to block all visitors from same HTTP proxy.

I also want to warn about NOTEXIST key to filter:
$ sudo cat /var/log/monitorix-httpd | grep -ie NOTEXIST
Thu Apr  2 08:55:28 2020 - NOTEXIST - [192.168.1.33] File does not exist: /
Sat Apr  4 09:50:16 2020 - NOTEXIST - [192.168.1.33] File does not
exist: /favicon.ico
Sat Apr  4 09:51:21 2020 - NOTEXIST - [192.168.1.33] File does not
exist: /monitoric


Thank you;

Narcis Garcia
El 3/4/20 a les 9:16, Jordi Sanfeliu ha escrit:
> Hello,
> 
> The following filter for fail2ban should suffice:
> 
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~8<~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> # Fail2Ban filter for Monitorix (HTTP built-in server)
> #
> 
> [INCLUDES]
> 
> before = common.conf
> 
> [Definition]
> 
> # Option:  failregex
> # Notes.:  regex to match the password failures messages in the logfile.
> The
> #          host must be matched by a group named "host". The tag
> "<HOST>" can
> #          be used for standard IP/hostname matching and is only an
> alias for
> #          (?:::f{4,6}:)?(?P<host>\S+)
> # Values:  TEXT
> #
> 
> _daemon = monitorix-httpd
> 
> failregex = NOTEXIST - \[<HOST>\] .*
>             AUTHERR - \[<HOST>\] .*
>             NOTALLOWED - \[<HOST>\] .*
> 
> # Option:  ignoreregex
> # Notes.:  regex to ignore. If this regex matches, the line is ignored.
> # Values:  TEXT
> #
> ignoreregex =
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~8<~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> Just let me know if it works for you, and if so, I'll push a new request
> to the fail2ban project to include it.
> 
> Regards.
> 
> 
> 
> On 4/2/20 10:09 AM, Narcis Garcia via Monitorix-general wrote:
>> htpasswd method with system's crypt() is pretty weak to face brute-force
>> attacks.
>>
>> Does somebody have written an adequate fail2ban filter for http attacks
>> to Monitorix?
>>
>> Thank you.
>>
> 


_______________________________________________
Monitorix-general mailing list
Monitorix-general@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/monitorix-general

Reply via email to