Re: [monit] Blocking specific GET requests to M/Monit

[Jan-Henrik Haukeland]

I second Alexander suggestions. Another alternative is to setup Apache  
in front of M/Monit as a proxy. I strongly recommend NOT exposing the  
mmonit server to the wild. Most importantly, since mmonit does not yet  
support SSL, login will be done in cleartext over the wire which is  
very bad. Also as a general security rule, tools like M/Monit should  
NOT be directly accessible from the cloud.

To setup Apache to proxy mmonit, you can add something like this to  
httpd.conf:

# Proxy mmonit
ProxyPass /mmonit/ http://localhost:8080/
ProxyPassReverse /mmonit/ http://localhost:8080/
<Location /monit/>
        Order deny,allow
        Deny from .example.com
        Allow from all
</Location>

Using M/Monit behind an Apache proxy also has the added benefit that  
you can use SSL in Apache. This means that all communication between  
mmonit and clients are encrypted in the cloud, which means that login  
also will be secure.

Jan-Henrik

On 2. feb.. 2009, at 22.17, Aleksander Kamenik wrote:

> Christopher Opena wrote:
> > Hey everyone, just checking in to see if anyone else has had  
> > similar experiences with bots attempting to GET the usual  
> > 'azenv.php' and 'prx1.php' files in order to use them as proxies.   
> > I use mod_security in Apache to block these requests and also  
> > disable proxies in httpd.conf, but I'm not entirely sure how to go  
> > about doing this in M/Monit. My M/Monit site has its web UI open to  
> > the internet since we have a fairly mobile set of people accessing  
> > it from multiple networks (cafes, wifi, home, etc.)
>
> I hope you're running on HTTPS then. And even so, I wouldn't trust  
> internet cafe's etc as they still might be recording your passwords.
>
> The real solution to your real problem is setting up a VPN (I'd  
> recommend OpenVPN) and providing your people with a trusted inet  
> enabled device. 404 requests to your server are not a problem.