> On 29 Aug 2017, at 20:53, Cyril M. <mirt...@mirtouf.fr> wrote:
>
> Hello Martin,
>
> Le 29/08/2017 à 20:31, mart...@tildeslash.com a écrit :
>>
>>
>> Hello Cyril,
>>
>> please make sure your monit CLI matches the monit daemon version - some
>> users had multiple Monit installations (for example one via debian package,
>> second compiled from the source code directly). If the client or server
>> version is < 5.21.0, the CSRF protection will reject the client:
>>
>> find / -name monit -type f -ls -exec {} -V \; 2>/dev/null
>>
>> Best regards,
>> Martin
>>
>>
> The problem raised straight after a fresh install of monit; I never
> compiled monit on this machine nor tried to use 2 versions at the same time.
> I only use the debian package.
>
> find / -name monit -type f -ls -exec {} -V \; 2>/dev/null
> 2101535 4 -rwxr-xr-x 1 root root 2664 Jan 11 2017
> /etc/init.d/monit
> [info] Usage: /etc/init.d/monit
> {start|stop|reload|restart|force-reload|syntax|status}.
> 2101560 4 -rw-r--r-- 1 root root 100 Jan 11 2017
> /etc/pam.d/monit
> 2101534 4 -rw-r--r-- 1 root root 204 Jan 11 2017
> /etc/default/monit
> 2101536 4 -rw-r--r-- 1 root root 268 Jan 11 2017
> /etc/logrotate.d/monit
> 538327 660 -rwxr-xr-x 1 root root 674488 Jan 11 2017
> /usr/bin/monit
> This is Monit version 5.20.0
> Built with ssl, with ipv6, with compression, with pam and with large files
> Copyright (C) 2001-2016 Tildeslash Ltd. All Rights Reserved.
> 538328 4 -rwxr-xr-x 1 root root 386 Jan 11 2017
> /usr/share/bug/monit
> 662226 4 -rw-r--r-- 1 root root 554 Jan 11 2017
> /usr/share/lintian/overrides/monit
> 793090 4 -rw-r--r-- 1 root root 2172 Dec 9 2016
> /usr/lib/python3/dist-packages/fail2ban/tests/files/logs/monit
>
> Regards,
> Cyril
Thanks for data.
According to the output, the installed Monit version is 5.20.0 (first version
with CSRF protection). The CSRF cookie in 5.20.0 was position dependent
(https://bitbucket.org/tildeslash/monit/issues/495/invalid-csrf-check). The
problem was fixed in Monit 5.21.0.
Best regards,
Martin
