Re: [Monitorix-general] fail2ban filter for Monitorix
Sure, this filter probably lacks things here and there and it's far from being perfect, but it's a good start overall and works well for the majority of cases. Feel free to improve it! Regards. On 4/4/20 10:04 AM, Narcis Garcia via Monitorix-general wrote: I've looked failures logged and I see it's recording source traffic IP but not visitor's one if it comes through a proxy (X-Forwarded-For): $ sudo cat /var/log/monitorix-httpd | grep -ie AUTHERR Thu Apr 2 16:14:35 2020 - AUTHERR - [192.168.1.33] Authentication error: /monitorix/ This will produce fail2ban to block all visitors from same HTTP proxy. I also want to warn about NOTEXIST key to filter: $ sudo cat /var/log/monitorix-httpd | grep -ie NOTEXIST Thu Apr 2 08:55:28 2020 - NOTEXIST - [192.168.1.33] File does not exist: / Sat Apr 4 09:50:16 2020 - NOTEXIST - [192.168.1.33] File does not exist: /favicon.ico Sat Apr 4 09:51:21 2020 - NOTEXIST - [192.168.1.33] File does not exist: /monitoric Thank you; Narcis Garcia -- Jordi Sanfeliu FIBRANET Network Services Provider https://www.fibranet.cat ___ Monitorix-general mailing list Monitorix-general@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/monitorix-general
Re: [Monitorix-general] fail2ban filter for Monitorix
I've looked failures logged and I see it's recording source traffic IP but not visitor's one if it comes through a proxy (X-Forwarded-For): $ sudo cat /var/log/monitorix-httpd | grep -ie AUTHERR Thu Apr 2 16:14:35 2020 - AUTHERR - [192.168.1.33] Authentication error: /monitorix/ This will produce fail2ban to block all visitors from same HTTP proxy. I also want to warn about NOTEXIST key to filter: $ sudo cat /var/log/monitorix-httpd | grep -ie NOTEXIST Thu Apr 2 08:55:28 2020 - NOTEXIST - [192.168.1.33] File does not exist: / Sat Apr 4 09:50:16 2020 - NOTEXIST - [192.168.1.33] File does not exist: /favicon.ico Sat Apr 4 09:51:21 2020 - NOTEXIST - [192.168.1.33] File does not exist: /monitoric Thank you; Narcis Garcia El 3/4/20 a les 9:16, Jordi Sanfeliu ha escrit: > Hello, > > The following filter for fail2ban should suffice: > > > 8< > # Fail2Ban filter for Monitorix (HTTP built-in server) > # > > [INCLUDES] > > before = common.conf > > [Definition] > > # Option: failregex > # Notes.: regex to match the password failures messages in the logfile. > The > # host must be matched by a group named "host". The tag > "" can > # be used for standard IP/hostname matching and is only an > alias for > # (?:::f{4,6}:)?(?P\S+) > # Values: TEXT > # > > _daemon = monitorix-httpd > > failregex = NOTEXIST - \[\] .* > AUTHERR - \[\] .* > NOTALLOWED - \[\] .* > > # Option: ignoreregex > # Notes.: regex to ignore. If this regex matches, the line is ignored. > # Values: TEXT > # > ignoreregex = > 8< > > Just let me know if it works for you, and if so, I'll push a new request > to the fail2ban project to include it. > > Regards. > > > > On 4/2/20 10:09 AM, Narcis Garcia via Monitorix-general wrote: >> htpasswd method with system's crypt() is pretty weak to face brute-force >> attacks. >> >> Does somebody have written an adequate fail2ban filter for http attacks >> to Monitorix? >> >> Thank you. >> > ___ Monitorix-general mailing list Monitorix-general@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/monitorix-general
Re: [Monitorix-general] fail2ban filter for Monitorix
Hello, The following filter for fail2ban should suffice: 8< # Fail2Ban filter for Monitorix (HTTP built-in server) # [INCLUDES] before = common.conf [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P\S+) # Values: TEXT # _daemon = monitorix-httpd failregex = NOTEXIST - \[\] .* AUTHERR - \[\] .* NOTALLOWED - \[\] .* # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = 8< Just let me know if it works for you, and if so, I'll push a new request to the fail2ban project to include it. Regards. On 4/2/20 10:09 AM, Narcis Garcia via Monitorix-general wrote: htpasswd method with system's crypt() is pretty weak to face brute-force attacks. Does somebody have written an adequate fail2ban filter for http attacks to Monitorix? Thank you. -- Jordi Sanfeliu FIBRANET Network Services Provider https://www.fibranet.cat ___ Monitorix-general mailing list Monitorix-general@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/monitorix-general