Re: [Monitorix-general] fail2ban filter for Monitorix
Monitorix is a system monitoring tool
Brought to you by:
mikaku
Menu
▾
▴
Re: [Monitorix-general] fail2ban filter for Monitorix
|
From: Narcis G. <inf...@ac...> - 2020-04-04 08:04:37
|
I've looked failures logged and I see it's recording source traffic IP
but not visitor's one if it comes through a proxy (X-Forwarded-For):
$ sudo cat /var/log/monitorix-httpd | grep -ie AUTHERR
Thu Apr 2 16:14:35 2020 - AUTHERR - [192.168.1.33] Authentication
error: /monitorix/
This will produce fail2ban to block all visitors from same HTTP proxy.
I also want to warn about NOTEXIST key to filter:
$ sudo cat /var/log/monitorix-httpd | grep -ie NOTEXIST
Thu Apr 2 08:55:28 2020 - NOTEXIST - [192.168.1.33] File does not exist: /
Sat Apr 4 09:50:16 2020 - NOTEXIST - [192.168.1.33] File does not
exist: /favicon.ico
Sat Apr 4 09:51:21 2020 - NOTEXIST - [192.168.1.33] File does not
exist: /monitoric
Thank you;
Narcis Garcia
El 3/4/20 a les 9:16, Jordi Sanfeliu ha escrit:
> Hello,
>
> The following filter for fail2ban should suffice:
>
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~8<~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> # Fail2Ban filter for Monitorix (HTTP built-in server)
> #
>
> [INCLUDES]
>
> before = common.conf
>
> [Definition]
>
> # Option: failregex
> # Notes.: regex to match the password failures messages in the logfile.
> The
> # host must be matched by a group named "host". The tag
> "<HOST>" can
> # be used for standard IP/hostname matching and is only an
> alias for
> # (?:::f{4,6}:)?(?P<host>\S+)
> # Values: TEXT
> #
>
> _daemon = monitorix-httpd
>
> failregex = NOTEXIST - \[<HOST>\] .*
> AUTHERR - \[<HOST>\] .*
> NOTALLOWED - \[<HOST>\] .*
>
> # Option: ignoreregex
> # Notes.: regex to ignore. If this regex matches, the line is ignored.
> # Values: TEXT
> #
> ignoreregex =
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~8<~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Just let me know if it works for you, and if so, I'll push a new request
> to the fail2ban project to include it.
>
> Regards.
>
>
>
> On 4/2/20 10:09 AM, Narcis Garcia via Monitorix-general wrote:
>> htpasswd method with system's crypt() is pretty weak to face brute-force
>> attacks.
>>
>> Does somebody have written an adequate fail2ban filter for http attacks
>> to Monitorix?
>>
>> Thank you.
>>
>
|
