fail2ban/config/filter.d/monit.conf

# Fail2Ban filter for monit.conf, looks for failed access attempts
#
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

# [DEFAULT]
# logtype = short

[Definition]

_daemon = monit

_prefix = Warning|HttpRequest

# Regexp for previous (accessing monit httpd) and new (access denied) versions
failregex = ^%(__prefix_line)s(?:error\s*:\s+)?(?:%(_prefix)s):\s+(?:access denied\s+--\s+)?[Cc]lient '?<HOST>'?(?:\s+supplied|\s*:)\s+(?:unknown user '<F-ALT_USER>[^']+</F-ALT_USER>'|wrong password for user '<F-USER>[^']*</F-USER>'|empty password)

# Ignore login with empty user (first connect, no user specified)
# ignoreregex = %(__prefix_line)s\w+: access denied -- client <HOST>: (?:unknown user '')
ignoreregex =
Block brute-force attempts against the Monit gui 2014-04-17 04:21:41 +00:00			`# Fail2Ban filter for monit.conf, looks for failed access attempts`
			`#`
			`#`

fixed monit filter: failregex find now both previous and new versions: - failregex of previous monit version merged as single expression; - extended failregex with new monit "access denied" version; 2016-03-09 19:00:11 +00:00			`[INCLUDES]`

			`# Read common prefixes. If any customizations available -- read them from`
			`# common.local`
			`before = common.conf`

filter.d/common.conf: closes gh-2650, avoid substitute of default values in related `lt_*` section, `__prefix_line` should be interpolated in definition section (after the config considers all sections that can overwrite it); amend to 62b1712d223269b6201366e55c796a15a2f2211d (PR #2387, backend-related option `logtype`); testSampleRegexsZZZ-GENERIC-EXAMPLE covering now negative case also (other daemon in prefix line) 2020-03-05 12:47:11 +00:00			`# [DEFAULT]`
			`# logtype = short`

Block brute-force attempts against the Monit gui 2014-04-17 04:21:41 +00:00			`[Definition]`

fixed monit filter: failregex find now both previous and new versions: - failregex of previous monit version merged as single expression; - extended failregex with new monit "access denied" version; 2016-03-09 19:00:11 +00:00			`_daemon = monit`

filter.d/common.conf: closes gh-2650, avoid substitute of default values in related `lt_*` section, `__prefix_line` should be interpolated in definition section (after the config considers all sections that can overwrite it); amend to 62b1712d223269b6201366e55c796a15a2f2211d (PR #2387, backend-related option `logtype`); testSampleRegexsZZZ-GENERIC-EXAMPLE covering now negative case also (other daemon in prefix line) 2020-03-05 12:47:11 +00:00			`_prefix = Warning\|HttpRequest`

fixed monit filter: failregex find now both previous and new versions: - failregex of previous monit version merged as single expression; - extended failregex with new monit "access denied" version; 2016-03-09 19:00:11 +00:00			`# Regexp for previous (accessing monit httpd) and new (access denied) versions`
filter.d/common.conf: closes gh-2650, avoid substitute of default values in related `lt_*` section, `__prefix_line` should be interpolated in definition section (after the config considers all sections that can overwrite it); amend to 62b1712d223269b6201366e55c796a15a2f2211d (PR #2387, backend-related option `logtype`); testSampleRegexsZZZ-GENERIC-EXAMPLE covering now negative case also (other daemon in prefix line) 2020-03-05 12:47:11 +00:00			`failregex = ^%(__prefix_line)s(?:error\s:\s+)?(?:%(_prefix)s):\s+(?:access denied\s+--\s+)?[Cc]lient '?<HOST>'?(?:\s+supplied\|\s:)\s+(?:unknown user '<F-ALT_USER>[^']+</F-ALT_USER>'\|wrong password for user '<F-USER>[^']*</F-USER>'\|empty password)`
Block brute-force attempts against the Monit gui 2014-04-17 04:21:41 +00:00
fixed monit filter: failregex find now both previous and new versions: - failregex of previous monit version merged as single expression; - extended failregex with new monit "access denied" version; 2016-03-09 19:00:11 +00:00			`# Ignore login with empty user (first connect, no user specified)`
			`# ignoreregex = %(__prefix_line)s\w+: access denied -- client <HOST>: (?:unknown user '')`
ENH: define ignoreregex for all filters explicitly, to avoid warnings (Closes #934) 2015-01-30 15:37:45 +00:00			`ignoreregex =`