Add new jail (and filter) Monitorix

[mikaku]

Please, consider adding this filter to fail2ban.
Thanks.

[mikaku]

I've double-checked my commit and I can't find anything wrong in it.
Any idea why all these checks are failing?

[sebres]

Any idea why all these checks are failing?

Test cases for every filter are mandatory, you have to add fail2ban/fail2ban/tests/files/logs/monitorix with log lines (and failJSON) the filter must match.

[mikaku]

Test cases for every filter are mandatory, you have to add fail2ban/fail2ban/tests/files/logs/monitorix with log lines (and failJSON) the filter must match.

Thank you very much for your advice and assistance.
What is the purpose of failJSON lines and how should I create them?

After looking into other log files, I think I have figured how it works.

[coveralls]

Coverage decreased (-0.4%) to 97.645% when pulling ab0847e on mikaku:updated-to-latest-jail.conf into 6893d5a on fail2ban:master.

[mikaku]

How can I fix the last two checks?

[sebres]

I rewrote failregex to single much precise (anchoring, etc) regex.

How can I fix the last two checks?

You cannot, but it is not your issue - the Travis CI (and related to that coveralls) has some incorrect config yet, which targets unsupported versions of python there.

[mikaku]

I rewrote failregex to single much precise (anchoring, etc) regex.

OK, thanks. This regex looks different as how it was before.
Is there any fail2ban documentation where I can read more about the regex being used?

[sebres]

Is there any fail2ban documentation where I can read more about the regex being used?

As for special fail2ban-related stuff, e. g. interpolated tags like <ADDR> etc, see

fail2ban/man/jail.conf.5

Lines 474 to 497 in 6893d5a

	.B failregex
	is the regex (\fBreg\fRular \fBex\fRpression) that will match failed attempts. The standard replacement tags can be used as part of the regex:
	.RS
	.IP
	\fI<HOST>\fR - common regex for IP addresses and hostnames (if \fBusedns\fR is enabled). Fail2Ban will work out which one of these it actually is.
	.IP
	\fI<ADDR>\fR - regex for IP addresses (both families).
	.IP
	\fI<IP4>\fR - regex for IPv4 addresses.
	.IP
	\fI<IP6>\fR - regex for IPv6 addresses (also IP enclosed in brackets).
	.IP
	\fI<DNS>\fR - regex to match hostnames.
	.IP
	\fI<CIDR>\fR - helper regex to match CIDR (simple integer form of net-mask).
	.IP
	\fI<SUBNET>\fR - regex to match sub-net adresses (in form of IP/CIDR, also single IP is matched, so part /CIDR is optional).
	.PP
	\fBNOTE:\fR the \fBfailregex\fR will be applied to the remaining part of message after \fBprefregex\fR processing (if specified), which in turn takes place after \fBdatepattern\fR processing (whereby the string of timestamp matching the best pattern, cut out from the message).
	.PP
	For multiline regexs (parsing with \fImaxlines\fR greater that 1) the tag \fI<SKIPLINES>\fR can be used to separate lines. This allows lines between the matched lines to continue to be searched for other failures. The tag can be used multiple times.
	.br
	This is an obsolete handling and if the lines contain some common identifier, better would be to use new handling (with tags \fI<F-MLFID>...<F-MLFID/>\fR).
	.RE

or even man jail.conf.5.

As for regex (PCRE or rather Python regular expression) see Regular Expression Syntax in Python documentation.

[mikaku]

Thank you very much.

[mikaku]

I rewrote failregex to single much precise (anchoring, etc) regex.

After reading jail.conf.5 I don't see that the tag <ADDR> takes square brackets as part of the RE to detect IP addresses.
Shouldn't the RE be rewritten as this? ...AUTHERR|NOTALLOWED) - \[<ADDR>\]\b

[sebres]

Shouldn't the RE be rewritten as this? ...AUTHERR|NOTALLOWED) - \[<ADDR>\]\b

No, it should not (as you see the tests passing).
Can be considered as lack of documentation, but it does add optional brackets left and rights.

fail2ban/fail2ban/server/failregex.py

Lines 59 to 61 in 6893d5a

	R_HOST[RI_ADDR] = r"\[?(?:%s|%s)\]?" % (R_HOST[RI_IPV4], R_HOST[RI_IPV6],)
	R_HOST[RI_HOST] = r"(?:%s|%s)" % (R_HOST[RI_ADDR], R_HOST[RI_DNS],)
	R_HOST[RI_SUBNET] = r"\[?(?:%s|%s)(?:/%s)?\]?" % (R_HOST[RI_IPV4], R_HOST[RI_IPV6], R_HOST[RI_CIDR],)

Added in e5d02bc (and #2560) and released with 0.10.5 and 0.11.1.

[mikaku]

That cleared it up.
Thanks.

[mikaku]

Please, let me know if I need to do anything more in this PR to be merged.
Thanks.