Configure + Enable Monit Brute Force Protection with fail2ban

by

Monit is a great tool for WordPress self-hosting which will monitor your essential services like nginx, MariaDB MySQL, php5-fpm, Varnish, Redis, memcached and basically anything running on your VPS or dedicated server. Monit does allow whitelisting so that only certain IP addresses or dynamic DNS addresses are allowed to access the Monit web interface. If you want to access Monit from other computers and do not want to whitelist those IPs specifically, you can use fail2ban to block users’ brute force attack attempts.

If you need to install Monit on your VPS or dedicated server see this guide.

Configure + Enable Monit Brute Force Protection with fail2ban

If you like to be able to access Monit from any computer then you may want to check your Monit log (/var/log/monit.log)

cat /var/log/monit.log

Failed Monit login attempts will look something like this

Warning: Client '192.168.60.1' supplied unknown user 'test' accessing monit httpd
Warning: Client '192.168.60.1' supplied wrong password for user 'admin' accessing monit httpd

Update your repositories and install fail2ban

sudo apt-get update
sudo apt-get install fail2ban -y

Create the Monit fail2ban Filter

Create the Monit filter

sudo nano /etc/fail2ban/filter.d/monit-auth.conf

This Monit fail2ban regular expression matches both failed login attempt types: wrong passwords and unknown users

[Definition]
failregex = Warning\: Client '<HOST>' supplied.* accessing monit httpd

Now you need to generate some login failures for the Monit log file. Do some attempts with the correct username but wrong password
also do some with an incorrect user and incorrect password.

You can test the fail2ban regular expression filter you created with this command

fail2ban-regex /var/log/monit.log /etc/fail2ban/filter.d/monit-auth.conf

You will get a nice little report

Running tests
=============

Use failregex file : /etc/fail2ban/filter.d/monit-auth.conf
Use log file : /var/log/monit.log

Results
=======

Failregex: 19 total
|- #) [# of hits] regular expression
| 1) [19] Warning\: Client '<HOST>' supplied.* accessing monit httpd
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
| [74] WEEKDAY MONTH Day Hour:Minute:Second
`-

Lines: 74 lines, 0 ignored, 19 matched, 55 missed

Create fail2ban Jail for Monit

Create the fail2ban jail folder in case it doesn’t exist

sudo mkdir -p /etc/fail2ban/jail.d

Create a Monit fail2ban jail

sudo nano /etc/fail2ban/jail.d/monit-auth.conf

Paste this filter Monit fail2ban jail which monitors your monit log file and bans users on port 2812 if there are 3 failed login attempts. Users are banned for 60 seconds which you are welcome to increase.

[monit-auth]
enabled = true
filter = monit-auth
port = 2812
logpath = /var/log/monit*.log
bantime = 60
maxretry = 3

Now you can restart fail2ban

sudo service fail2ban restart

Now Monit brute force protection is configured and enabled using fail2ban

Check Current fail2ban Status for Monit Brute Force Protection

You can view the current banned IP addresses with fail2ban using this command

sudo fail2ban-client status monit-auth

You will get output like this

Status for the jail: monit-auth
|- filter
|  |- File list:        /var/log/monit.log
|  |- Currently failed: 0
|  `- Total failed:     3
`- action
   |- Currently banned: 1
   |  `- IP list:       192.168.60.1
   `- Total banned:     1