fail2ban/config/filter.d/monit.conf

# Fail2Ban filter for monit.conf, looks for failed access attempts
#
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = monit

# Regexp for previous (accessing monit httpd) and new (access denied) versions
failregex = ^\[\s*\]\s*error\s*:\s*Warning:\s+Client '<HOST>' supplied (?:unknown user '[^']+'|wrong password for user '[^']*') accessing monit httpd$
            ^%(__prefix_line)s\w+: access denied -- client <HOST>: (?:unknown user '[^']+'|wrong password for user '[^']*'|empty password)$

# Ignore login with empty user (first connect, no user specified)
# ignoreregex = %(__prefix_line)s\w+: access denied -- client <HOST>: (?:unknown user '')
ignoreregex =
Block brute-force attempts against the Monit gui 2014-04-17 04:21:41 +00:00			`# Fail2Ban filter for monit.conf, looks for failed access attempts`
			`#`
			`#`

fixed monit filter: failregex find now both previous and new versions: - failregex of previous monit version merged as single expression; - extended failregex with new monit "access denied" version; 2016-03-09 19:00:11 +00:00			`[INCLUDES]`

			`# Read common prefixes. If any customizations available -- read them from`
			`# common.local`
			`before = common.conf`

Block brute-force attempts against the Monit gui 2014-04-17 04:21:41 +00:00			`[Definition]`

fixed monit filter: failregex find now both previous and new versions: - failregex of previous monit version merged as single expression; - extended failregex with new monit "access denied" version; 2016-03-09 19:00:11 +00:00			`_daemon = monit`

			`# Regexp for previous (accessing monit httpd) and new (access denied) versions`
added possibility to specify more precise default date pattern: - `datepattern = {^LN-BEG}` - only line-begin anchored default patterns (matches date only at begin of line, or with max distance up to 2 non-alphanumeric characters from line-begin); - `datepattern = {*WD-BEG}` - only word-begin anchored default patterns; - `datepattern = ^prefix{DATE}suffix` - exact specified default patterns (using prefix and suffix); common filter configs gets a more precise, line-begin anchored (datepattern = {^LN-BEG}) resp. custom anchoring default date-patterns; 2016-10-05 17:34:21 +00:00			`failregex = ^\[\s\]\serror\s:\sWarning:\s+Client '<HOST>' supplied (?:unknown user '[^']+'\|wrong password for user '[^']*') accessing monit httpd$`
fixed monit filter: failregex find now both previous and new versions: - failregex of previous monit version merged as single expression; - extended failregex with new monit "access denied" version; 2016-03-09 19:00:11 +00:00			`^%(__prefix_line)s\w+: access denied -- client <HOST>: (?:unknown user '[^']+'\|wrong password for user '[^']*'\|empty password)$`
Block brute-force attempts against the Monit gui 2014-04-17 04:21:41 +00:00
fixed monit filter: failregex find now both previous and new versions: - failregex of previous monit version merged as single expression; - extended failregex with new monit "access denied" version; 2016-03-09 19:00:11 +00:00			`# Ignore login with empty user (first connect, no user specified)`
			`# ignoreregex = %(__prefix_line)s\w+: access denied -- client <HOST>: (?:unknown user '')`
ENH: define ignoreregex for all filters explicitly, to avoid warnings (Closes #934) 2015-01-30 15:37:45 +00:00			`ignoreregex =`