[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Monit built-in Http log for fail2ban

From: Alex
Subject: Re: Monit built-in Http log for fail2ban
Date: Thu, 24 May 2012 12:25:20 +0300

Hello Martin,
I am sorry for the delay...
I did find some time to take some tests so,  I did notice that syslog stopped for some reason logging these failed login attempts after some time, up to a date they were working ok...
I changed the logfile to a custom one that logs the events now.
Anyway, unfortunately since the logging comes in a form of " Warning: Client '' supplied unknown user" there is no way to make it work. I should disable the proxy pass and the access the service from external ip so I can latter ban it...
Br Alex

Sent: Monday, April 30, 2012 5:15 PM
Subject: Re: Monit built-in Http log for fail2ban


the monit logfile is configured with "SET LOGFILE <path|SYSLOG>" … in your case the log goes to syslog, which decides to which file to log the message. Monit's internal webserver is proprietary implementation - it's not mongrel. The failed login attempts are logged with following messages:

    Warning: Client 'xyz' supplied unknown user 'cdb' accessing monit httpd
    Warning: Client 'xyz' supplied wrong password for user 'abc' accessing monit httpd


On Apr 26, 2012, at 2:54 PM, Alex wrote:

I have Setup monit on Centos system an I use on apache "ProxyPass /monit/ http://localhost:2812/" in order to access it
so the url is something like https://domanname/monit/
I would like to know is it is possible to protect that url via fail2ban.
I am searching to see if the - internal server ( mongerl as I read in the site) has some sort of log file for failed attempts like apaches "client <HOST>user  authentication failure" so I can catch them with a regex...
I use on the config
set daemon  60
set logfile syslog facility log_daemon
set mailserver localhost
set mail-format { from: address@hidden }
set alert address@hiddenomname
set httpd port 2812 ADDRESS localhost and
     PEMFILE  /var/certs/monit.pem
     allow adminname:pass
I did try to search for both the logs and mongerl proc but with not luck.
Is there someone who would know how to achieve that or perhaps could think of something else!
Br Alex

To unsubscribe:

To unsubscribe:

reply via email to

[Prev in Thread] Current Thread [Next in Thread]