From 7d112430caabfb6f5922545adca77b1a210a3185 Mon Sep 17 00:00:00 2001
From: Jason Martin <jhmartin@toger.us>
Date: Wed, 16 Apr 2014 21:21:41 -0700
Subject: [PATCH 1/3] Block brute-force attempts against the Monit gui

---
 config/filter.d/monit.conf | 18 ++++++++++++++++++
 config/jail.conf           |  6 ++++++
 2 files changed, 24 insertions(+)
 create mode 100644 config/filter.d/monit.conf

diff --git a/config/filter.d/monit.conf b/config/filter.d/monit.conf
new file mode 100644
index 00000000..f32eae61
--- /dev/null
+++ b/config/filter.d/monit.conf
@@ -0,0 +1,18 @@
+# Fail2Ban filter for monit.conf, looks for failed access attempts
+#
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+# Samples: 
+# [PDT Apr 16 20:59:11] error    : Warning: Client '1.2.3.4' supplied unknown user 'foo' accessing monit httpd
+# [PDT Apr 16 20:59:33] error    : Warning: Client '1.2.3.4' supplied wrong password for user 'admin' accessing monit httpd
+
+failregex = Warning: Client '<HOST>' supplied
+
+ignoreregex =
diff --git a/config/jail.conf b/config/jail.conf
index 96b3096f..7f7a7cbe 100644
--- a/config/jail.conf
+++ b/config/jail.conf
@@ -366,6 +366,12 @@ maxretry = 5
 port     = http,https
 logpath  = /var/log/tomcat*/catalina.out
 
+[monit]
+#Ban clients brute-forcing the monit gui login
+filter   = monit
+port = 2812
+logpath  = /var/log/monit
+
 
 [webmin-auth]
 

From 72bfd1433032c8790d2f5add267076798eed7ce5 Mon Sep 17 00:00:00 2001
From: Jason Martin <jhmartin@toger.us>
Date: Sat, 19 Apr 2014 12:58:03 -0700
Subject: [PATCH 2/3] Tidy up filter.d/monit.conf, make regex more complete.
 Add ChangeLog / THANKS entry. Add test cases.

---
 ChangeLog                       |  1 +
 THANKS                          |  1 +
 config/filter.d/monit.conf      | 13 ++-----------
 fail2ban/tests/files/logs/monit |  6 ++++++
 4 files changed, 10 insertions(+), 11 deletions(-)
 create mode 100644 fail2ban/tests/files/logs/monit

diff --git a/ChangeLog b/ChangeLog
index 66df9639..7113d431 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -21,6 +21,7 @@ ver. 0.9.1 (2014/xx/xx) - better, faster, stronger
    * Nginx filter to support missing server_name. Closes gh-676
 
 - New features:
+   - Added monit filter thanks Jason H Martin.
 
 
 - Enhancements
diff --git a/THANKS b/THANKS
index 2c084dee..27165492 100644
--- a/THANKS
+++ b/THANKS
@@ -48,6 +48,7 @@ Ivo Truxa
 John Thoe
 Jacques Lav!gnotte
 Ioan Indreias
+Jason H Martin
 Jonathan Kamens
 Jonathan Lanning
 Jonathan Underwood
diff --git a/config/filter.d/monit.conf b/config/filter.d/monit.conf
index f32eae61..04d01b20 100644
--- a/config/filter.d/monit.conf
+++ b/config/filter.d/monit.conf
@@ -2,17 +2,8 @@
 #
 #
 
-[INCLUDES]
-
-# Read common prefixes. If any customizations available -- read them from
-# common.local
-before = common.conf
-
 [Definition]
-# Samples: 
-# [PDT Apr 16 20:59:11] error    : Warning: Client '1.2.3.4' supplied unknown user 'foo' accessing monit httpd
-# [PDT Apr 16 20:59:33] error    : Warning: Client '1.2.3.4' supplied wrong password for user 'admin' accessing monit httpd
 
-failregex = Warning: Client '<HOST>' supplied
+failregex = \]\s*error\s*:\s*Warning:\s+Client '<HOST>' supplied unknown user '\w+' accessing monit httpd$
+            \]\s*error\s*:\s*Warning:\s+Client '<HOST>' supplied wrong password for user '\w+' accessing monit httpd$
 
-ignoreregex =
diff --git a/fail2ban/tests/files/logs/monit b/fail2ban/tests/files/logs/monit
new file mode 100644
index 00000000..a923b6e2
--- /dev/null
+++ b/fail2ban/tests/files/logs/monit
@@ -0,0 +1,6 @@
+# failJSON: { "time": "2005-04-16T21:05:29", "match": true , "host": "69.93.127.111" }
+[PDT Apr 16 21:05:29] error    : Warning: Client '69.93.127.111' supplied unknown user 'foo' accessing monit httpd
+
+# failJSON: { "time": "2005-04-16T20:59:33", "match": true , "host": "97.113.189.111" }
+[PDT Apr 16 20:59:33] error    : Warning: Client '97.113.189.111' supplied wrong password for user 'admin' accessing monit httpd
+

From 9c3cb31862f8e0b31d12f0d02a9d114979cf3cd6 Mon Sep 17 00:00:00 2001
From: Jason Martin <jhmartin@toger.us>
Date: Tue, 22 Apr 2014 21:29:52 -0700
Subject: [PATCH 3/3] Even stricter monit regex, now covers entire line

---
 config/filter.d/monit.conf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/filter.d/monit.conf b/config/filter.d/monit.conf
index 04d01b20..1fcd980b 100644
--- a/config/filter.d/monit.conf
+++ b/config/filter.d/monit.conf
@@ -4,6 +4,6 @@
 
 [Definition]
 
-failregex = \]\s*error\s*:\s*Warning:\s+Client '<HOST>' supplied unknown user '\w+' accessing monit httpd$
-            \]\s*error\s*:\s*Warning:\s+Client '<HOST>' supplied wrong password for user '\w+' accessing monit httpd$
+failregex = ^\[[A-Z]+\s+\]\s*error\s*:\s*Warning:\s+Client '<HOST>' supplied unknown user '\w+' accessing monit httpd$
+            ^\[[A-Z]+\s+\]\s*error\s*:\s*Warning:\s+Client '<HOST>' supplied wrong password for user '\w+' accessing monit httpd$