Re: [Monitorix-general] fail2ban filter for Monitorix
Sure, this filter probably lacks things here and there and it's far from being perfect, but it's a good start overall and works well for the majority of cases. Feel free to improve it! Regards. On 4/4/20 10:04 AM, Narcis Garcia via Monitorix-general wrote: I've looked failures logged and I see it's recording source traffic IP but not visitor's one if it comes through a proxy (X-Forwarded-For): $ sudo cat /var/log/monitorix-httpd | grep -ie AUTHERR Thu Apr 2 16:14:35 2020 - AUTHERR - [192.168.1.33] Authentication error: /monitorix/ This will produce fail2ban to block all visitors from same HTTP proxy. I also want to warn about NOTEXIST key to filter: $ sudo cat /var/log/monitorix-httpd | grep -ie NOTEXIST Thu Apr 2 08:55:28 2020 - NOTEXIST - [192.168.1.33] File does not exist: / Sat Apr 4 09:50:16 2020 - NOTEXIST - [192.168.1.33] File does not exist: /favicon.ico Sat Apr 4 09:51:21 2020 - NOTEXIST - [192.168.1.33] File does not exist: /monitoric Thank you; Narcis Garcia -- Jordi Sanfeliu FIBRANET Network Services Provider https://www.fibranet.cat ___ Monitorix-general mailing list Monitorix-general@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/monitorix-general
Re: [Monitorix-general] fail2ban filter for Monitorix
I've looked failures logged and I see it's recording source traffic IP
but not visitor's one if it comes through a proxy (X-Forwarded-For):
$ sudo cat /var/log/monitorix-httpd | grep -ie AUTHERR
Thu Apr 2 16:14:35 2020 - AUTHERR - [192.168.1.33] Authentication
error: /monitorix/
This will produce fail2ban to block all visitors from same HTTP proxy.
I also want to warn about NOTEXIST key to filter:
$ sudo cat /var/log/monitorix-httpd | grep -ie NOTEXIST
Thu Apr 2 08:55:28 2020 - NOTEXIST - [192.168.1.33] File does not exist: /
Sat Apr 4 09:50:16 2020 - NOTEXIST - [192.168.1.33] File does not
exist: /favicon.ico
Sat Apr 4 09:51:21 2020 - NOTEXIST - [192.168.1.33] File does not
exist: /monitoric
Thank you;
Narcis Garcia
El 3/4/20 a les 9:16, Jordi Sanfeliu ha escrit:
> Hello,
>
> The following filter for fail2ban should suffice:
>
>
> 8<
> # Fail2Ban filter for Monitorix (HTTP built-in server)
> #
>
> [INCLUDES]
>
> before = common.conf
>
> [Definition]
>
> # Option: failregex
> # Notes.: regex to match the password failures messages in the logfile.
> The
> # host must be matched by a group named "host". The tag
> "" can
> # be used for standard IP/hostname matching and is only an
> alias for
> # (?:::f{4,6}:)?(?P\S+)
> # Values: TEXT
> #
>
> _daemon = monitorix-httpd
>
> failregex = NOTEXIST - \[\] .*
> AUTHERR - \[\] .*
> NOTALLOWED - \[\] .*
>
> # Option: ignoreregex
> # Notes.: regex to ignore. If this regex matches, the line is ignored.
> # Values: TEXT
> #
> ignoreregex =
> 8<
>
> Just let me know if it works for you, and if so, I'll push a new request
> to the fail2ban project to include it.
>
> Regards.
>
>
>
> On 4/2/20 10:09 AM, Narcis Garcia via Monitorix-general wrote:
>> htpasswd method with system's crypt() is pretty weak to face brute-force
>> attacks.
>>
>> Does somebody have written an adequate fail2ban filter for http attacks
>> to Monitorix?
>>
>> Thank you.
>>
>
___
Monitorix-general mailing list
Monitorix-general@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/monitorix-general
Re: [Monitorix-general] fail2ban filter for Monitorix
Hello,
The following filter for fail2ban should suffice:
8<
# Fail2Ban filter for Monitorix (HTTP built-in server)
#
[INCLUDES]
before = common.conf
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag
"" can
# be used for standard IP/hostname matching and is only an
alias for
# (?:::f{4,6}:)?(?P\S+)
# Values: TEXT
#
_daemon = monitorix-httpd
failregex = NOTEXIST - \[\] .*
AUTHERR - \[\] .*
NOTALLOWED - \[\] .*
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
8<
Just let me know if it works for you, and if so, I'll push a new request
to the fail2ban project to include it.
Regards.
On 4/2/20 10:09 AM, Narcis Garcia via Monitorix-general wrote:
htpasswd method with system's crypt() is pretty weak to face brute-force
attacks.
Does somebody have written an adequate fail2ban filter for http attacks
to Monitorix?
Thank you.
--
Jordi Sanfeliu
FIBRANET Network Services Provider
https://www.fibranet.cat
___
Monitorix-general mailing list
Monitorix-general@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/monitorix-general
