From ede200970859a6f1491aabdeb68c7d24a6052e36 Mon Sep 17 00:00:00 2001 From: Jordi Sanfeliu Date: Fri, 3 Apr 2020 12:52:19 +0200 Subject: [PATCH 1/5] added new jail (and filter) Monitorix --- config/filter.d/monitorix.conf | 27 +++++++++++++++++++++++++++ config/jail.conf | 5 +++++ 2 files changed, 32 insertions(+) create mode 100644 config/filter.d/monitorix.conf diff --git a/config/filter.d/monitorix.conf b/config/filter.d/monitorix.conf new file mode 100644 index 00000000..3979ed43 --- /dev/null +++ b/config/filter.d/monitorix.conf @@ -0,0 +1,27 @@ +# Fail2Ban filter for Monitorix (HTTP built-in server) +# + +[INCLUDES] + +before = common.conf + +[Definition] + +_daemon = monitorix-httpd + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P\S+) +# Values: TEXT +# +failregex = NOTEXIST - \[\] .* + AUTHERR - \[\] .* + NOTALLOWED - \[\] .* + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = diff --git a/config/jail.conf b/config/jail.conf index c7177f13..02ce55f1 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -951,3 +951,8 @@ logpath = %(apache_error_log)s # see `filter.d/traefik-auth.conf` for details and service example. port = http,https logpath = /var/log/traefik/access.log + + +[monitorix] +port = 8080 +logpath = /var/log/monitorix-httpd From 8b741129a51c98b6178f08bcca9af88a4486201f Mon Sep 17 00:00:00 2001 From: Jordi Sanfeliu Date: Wed, 14 Apr 2021 11:26:52 +0200 Subject: [PATCH 2/5] Create monitorix-httpd --- fail2ban/tests/files/logs/monitorix-httpd | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 fail2ban/tests/files/logs/monitorix-httpd diff --git a/fail2ban/tests/files/logs/monitorix-httpd b/fail2ban/tests/files/logs/monitorix-httpd new file mode 100644 index 00000000..3166dbd3 --- /dev/null +++ b/fail2ban/tests/files/logs/monitorix-httpd @@ -0,0 +1,10 @@ +Wed Apr 14 08:11:01 2021 - OK - [127.0.0.1] "GET /monitorix-cgi/monitorix.cgi - Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0" +Wed Apr 14 08:11:01 2021 - OK - [127.0.0.1] "GET /monitorix/css/black.css - Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0" +Wed Apr 14 08:11:01 2021 - OK - [127.0.0.1] "GET /monitorix/imgs/fs01.1day.png - Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0" +Wed Apr 14 08:11:02 2021 - OK - [127.0.0.1] "GET /monitorix/imgs/fs03.1day.png - Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0" +Wed Apr 14 08:11:02 2021 - OK - [127.0.0.1] "GET /monitorix/imgs/fs04.1day.png - Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0" +Wed Apr 14 08:11:02 2021 - OK - [127.0.0.1] "GET /monitorix/imgs/fs02.1day.png - Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0" +Wed Apr 14 08:54:22 2021 - NOTEXIST - [127.0.0.1] File does not exist: /manager/html +Wed Apr 14 11:24:31 2021 - NOTALLOWED - [127.0.0.1] Access not allowed: /monitorix/ +Wed Apr 14 11:26:08 2021 - AUTHERR - [127.0.0.1] Authentication error: /monitorix/ +Wed Apr 14 11:26:09 2021 - AUTHERR - [127.0.0.1] Authentication error: /monitorix/ From 63b3f39adc7323873d7f558a6060f79ce3e9a273 Mon Sep 17 00:00:00 2001 From: Jordi Sanfeliu Date: Wed, 14 Apr 2021 11:30:48 +0200 Subject: [PATCH 3/5] Rename monitorix-httpd to monitorix --- fail2ban/tests/files/logs/{monitorix-httpd => monitorix} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename fail2ban/tests/files/logs/{monitorix-httpd => monitorix} (100%) diff --git a/fail2ban/tests/files/logs/monitorix-httpd b/fail2ban/tests/files/logs/monitorix similarity index 100% rename from fail2ban/tests/files/logs/monitorix-httpd rename to fail2ban/tests/files/logs/monitorix From b6fac90b5a57934749f30a0f9c626b075fcf51d8 Mon Sep 17 00:00:00 2001 From: Jordi Sanfeliu Date: Wed, 14 Apr 2021 11:46:23 +0200 Subject: [PATCH 4/5] Update monitorix --- fail2ban/tests/files/logs/monitorix | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/fail2ban/tests/files/logs/monitorix b/fail2ban/tests/files/logs/monitorix index 3166dbd3..e6ad6dc6 100644 --- a/fail2ban/tests/files/logs/monitorix +++ b/fail2ban/tests/files/logs/monitorix @@ -1,10 +1,8 @@ +# failJSON: { "time": "2021-04-14T08:11:01", "match": false, "desc": "should be ignored: successful request" } Wed Apr 14 08:11:01 2021 - OK - [127.0.0.1] "GET /monitorix-cgi/monitorix.cgi - Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0" -Wed Apr 14 08:11:01 2021 - OK - [127.0.0.1] "GET /monitorix/css/black.css - Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0" -Wed Apr 14 08:11:01 2021 - OK - [127.0.0.1] "GET /monitorix/imgs/fs01.1day.png - Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0" -Wed Apr 14 08:11:02 2021 - OK - [127.0.0.1] "GET /monitorix/imgs/fs03.1day.png - Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0" -Wed Apr 14 08:11:02 2021 - OK - [127.0.0.1] "GET /monitorix/imgs/fs04.1day.png - Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0" -Wed Apr 14 08:11:02 2021 - OK - [127.0.0.1] "GET /monitorix/imgs/fs02.1day.png - Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0" +# failJSON: { "time": "2021-04-14T08:54:22", "match": true, "host": "127.0.0.1", "desc": "file does not exist" } Wed Apr 14 08:54:22 2021 - NOTEXIST - [127.0.0.1] File does not exist: /manager/html +# failJSON: { "time": "2021-04-14T11:24:31", "match": true, "host": "127.0.0.1", "desc": "access not allowed" } Wed Apr 14 11:24:31 2021 - NOTALLOWED - [127.0.0.1] Access not allowed: /monitorix/ +# failJSON: { "time": "2021-04-14T11:26:08", "match": true, "host": "127.0.0.1", "desc": "authentication error" } Wed Apr 14 11:26:08 2021 - AUTHERR - [127.0.0.1] Authentication error: /monitorix/ -Wed Apr 14 11:26:09 2021 - AUTHERR - [127.0.0.1] Authentication error: /monitorix/ From ab0847e2d59611dd81e2f6a1dd30c1f136dce958 Mon Sep 17 00:00:00 2001 From: "Sergey G. Brester" Date: Wed, 14 Apr 2021 13:06:58 +0200 Subject: [PATCH 5/5] more precise anchored RE (also combining all 3 REs in a single regex) --- config/filter.d/monitorix.conf | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/config/filter.d/monitorix.conf b/config/filter.d/monitorix.conf index 3979ed43..ff69f1bc 100644 --- a/config/filter.d/monitorix.conf +++ b/config/filter.d/monitorix.conf @@ -16,9 +16,7 @@ _daemon = monitorix-httpd # (?:::f{4,6}:)?(?P\S+) # Values: TEXT # -failregex = NOTEXIST - \[\] .* - AUTHERR - \[\] .* - NOTALLOWED - \[\] .* +failregex = ^(?:\s+-)?\s*(?:NOTEXIST|AUTHERR|NOTALLOWED) - \b # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored.