WordPress.org

Ready to get started?Download WordPress

Forums

WP fail2ban
Nothing blocked, don't understand why. (3 posts)

  1. VirtualCed
    Member
    Posted 1 year ago #

    Hello,

    I've got some difficulties to install the plugin (for the fail2ban part, not for the plugin itself), so I'm looking for your help.

    in my /etc/fail2ban/filters.d I've put the wordpress.conf
    in my /etc/fail2ban/jail.conf I've added

    [wordpress]
    
    enabled = true
    filter = wordpress
    logpath = /var/log/auth.log
    port    = http
    maxretry = 6

    When launching a fail2ban-regex on auth.log with wordpress.conf as filter I have

    Running tests
    =============
    
    Use regex file : filter.d/wordpress.conf
    Use log file   : /var/log/auth.log
    
    Results
    =======
    
    Failregex
    |- Regular expressions:
    |  [1] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?wordpress(?:\(\S+\))?[\]\)]?:?|[\[\(]?wordpress(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*Authentication failure for .* from <HOST>$
    |
    - Number of matches:
    [1] 22 match(es)

    Ignoreregex
    |- Regular expressions:
    |

    - Number of matches:
    
    Summary
    =======
    
    Addresses found:
    [1]
        194.154.219.97 (Thu Feb 07 08:42:35 2013)
        195.46.235.88 (Thu Feb 07 08:57:13 2013)
        195.46.235.88 (Thu Feb 07 08:57:43 2013)
        176.123.0.104 (Thu Feb 07 08:58:27 2013)
        176.123.0.105 (Thu Feb 07 08:58:27 2013)
        176.123.0.99 (Thu Feb 07 08:58:28 2013)
        176.123.0.103 (Thu Feb 07 09:05:51 2013)
        176.123.0.103 (Thu Feb 07 09:13:15 2013)
        176.123.0.110 (Thu Feb 07 09:16:28 2013)
        176.123.0.110 (Thu Feb 07 09:23:01 2013)
        188.143.232.45 (Thu Feb 07 09:58:29 2013)
        188.143.232.45 (Thu Feb 07 09:58:30 2013)
        195.46.235.88 (Thu Feb 07 10:14:23 2013)
        195.46.235.88 (Thu Feb 07 10:16:07 2013)
        173.254.28.21 (Thu Feb 07 14:02:33 2013)
        203.206.167.242 (Thu Feb 07 15:47:37 2013)
        217.58.114.252 (Thu Feb 07 15:48:48 2013)
        205.178.145.64 (Thu Feb 07 21:29:00 2013)
        75.126.152.226 (Thu Feb 07 21:45:47 2013)
        78.137.164.71 (Thu Feb 07 21:53:55 2013)
        213.251.189.205 (Thu Feb 07 23:22:03 2013)
        188.143.232.224 (Fri Feb 08 01:39:53 2013)
    
    Date template hits:
    3711 hit(s): MONTH Day Hour:Minute:Second
    0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
    0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
    0 hit(s): Year/Month/Day Hour:Minute:Second
    0 hit(s): Day/Month/Year Hour:Minute:Second
    0 hit(s): Day/Month/Year Hour:Minute:Second
    0 hit(s): Day/MONTH/Year:Hour:Minute:Second
    0 hit(s): Month/Day/Year:Hour:Minute:Second
    0 hit(s): Year-Month-Day Hour:Minute:Second
    0 hit(s): Year.Month.Day Hour:Minute:Second
    0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
    0 hit(s): Day-Month-Year Hour:Minute:Second
    0 hit(s): TAI64N
    0 hit(s): Epoch
    0 hit(s): ISO 8601
    0 hit(s): Hour:Minute:Second
    0 hit(s): <Month/Day/Year@Hour:Minute:Second>
    
    Success, the total number of match is 22
    
    However, look at the above section 'Running tests' which could contain important
    information.

    In my fail2ban.log I have

    2013-02-07 10:13:48,877 fail2ban.jail   : INFO   Creating new jail 'wordpress'
    2013-02-07 10:13:48,877 fail2ban.jail   : INFO   Jail 'wordpress' uses Gamin
    2013-02-07 10:13:48,877 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
    2013-02-07 10:13:48,878 fail2ban.filter : INFO   Set maxRetry = 6
    2013-02-07 10:13:48,878 fail2ban.filter : INFO   Set findtime = 600
    2013-02-07 10:13:48,879 fail2ban.actions: INFO   Set banTime = 600
    2013-02-07 10:13:48,884 fail2ban.jail   : INFO   Jail 'ssh' started
    2013-02-07 10:13:48,885 fail2ban.jail   : INFO   Jail 'wordpress' started

    I have some jailed action due to SSH attacks,but nothing due to wordpress.
    I even try to trigger it my self entering 10 consecutive bad logins from my computer.

    But the problem is, if I enter the same login with different password (like trying to bruteforce admin account) I don't have the required lines in the auth.log

    Feb  8 08:03:57 panel wordpress(vue-360.com)[23820]: Accepted password for Virtualced from 194.154.219.97
    Feb  8 08:14:37 panel wordpress(wp-adm.in)[26112]: Authentication failure for admin from 195.46.235.88
    Feb  8 08:15:04  wordpress(wp-adm.in)[26112]: last message repeated 7 times
    Feb  8 08:15:04 panel wordpress(wp-adm.in)[26112]: Authentication failure for aaa from 195.46.235.88
    Feb  8 08:15:08 panel wordpress(wp-adm.in)[26112]: Authentication failure for bbb from 195.46.235.88
    Feb  8 08:15:13 panel wordpress(wp-adm.in)[26112]: Authentication failure for ccc from 195.46.235.88
    Feb  8 08:15:17 panel wordpress(wp-adm.in)[26112]: Authentication failure for ddd from 195.46.235.88
    Feb  8 08:15:20 panel wordpress(wp-adm.in)[26112]: Authentication failure for eee from 195.46.235.88

    I have the log line `Feb 8 08:15:04 wordpress(wp-adm.in)[26112]: last message repeated 7 times' instead of several lines to be counted by fail2ban.
    The only way to lock an account is to change the password at each try.

    As most of the hackers try several password on only one account, it's difficult to manage...

    http://wordpress.org/extend/plugins/wp-fail2ban/

  2. invisnet
    Member
    Plugin Author

    Posted 1 year ago #

  3. Gilligan
    Member
    Posted 1 year ago #

    For many newer RedHat downstream distros, such as CentOS, Amazon, Scientific: the log to parse is /var/log/messages

    ref: http://php.net/manual/en/function.syslog.php (see comments)

    test:
    fail2ban-regex /var/log/messages /etc/fail2ban/filter.d/wordpress.conf

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.