restart of fail2ban service fails

onerock
(@onerock)

11 years, 6 months ago

I love the idea of this integration! I have installed all the bit and pieces, but when I restart the fail2ban service it fails to start. I believe that this is due to the action = pf. I am unfamiliar with this action or what it should be/could be. Can you offer some guidance to get me going in the right direction? I have attempted to search the Google machine, but didn’t find anything that appeared to be what I was looking for.

My log in success/failures are in the “message” log file.
Oct 22 17:59:11 vps-1111111-33333 wordpress(7.7.7.7)[7619]: Accepted password for xxxxxxx from 8.8.8.8
Oct 22 18:09:58 vps-1111111-33333 wordpress(7.7.7.7)[7661]: Authentication failure for xxxxxxx from 8.8.8.8

Thanks in advance for your assistance.

Scott

http://wordpress.org/extend/plugins/wp-fail2ban/

Viewing 8 replies - 1 through 8 (of 8 total)

ideaman007
(@ideaman007)

11 years, 5 months ago

Here’s an example of mine showing it working:

2012-10-27 17:09:39,003 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.6
2012-10-27 17:09:39,004 fail2ban.jail : INFO Creating new jail ‘ssh’
2012-10-27 17:09:39,007 fail2ban.jail : INFO Jail ‘ssh’ uses Gamin
2012-10-27 17:09:39,023 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2012-10-27 17:09:39,024 fail2ban.filter : INFO Set maxRetry = 6
2012-10-27 17:09:39,025 fail2ban.filter : INFO Set findtime = 600
2012-10-27 17:09:39,026 fail2ban.actions: INFO Set banTime = 600
2012-10-27 17:09:39,055 fail2ban.jail : INFO Creating new jail ‘wordpress’
2012-10-27 17:09:39,055 fail2ban.jail : INFO Jail ‘wordpress’ uses Gamin
2012-10-27 17:09:39,056 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2012-10-27 17:09:39,056 fail2ban.filter : INFO Set maxRetry = 6
2012-10-27 17:09:39,057 fail2ban.filter : INFO Set findtime = 600
2012-10-27 17:09:39,057 fail2ban.actions: INFO Set banTime = 600
2012-10-27 17:09:39,064 fail2ban.jail : INFO Jail ‘ssh’ started
2012-10-27 17:09:39,072 fail2ban.jail : INFO Jail ‘wordpress’ started
2012-10-27 17:09:41,135 fail2ban.actions: WARNING [wordpress] Ban 178.212.65.55
2012-10-27 17:19:41,917 fail2ban.actions: WARNING [wordpress] Unban 178.212.65.55

I copied the wordpress.conf into the /etc/fail2ban/filters.d folder

I copied the /etc/fail2ban/jail.conf to /etc/fail2ban/jail.local

I edited the jail.local to include this:

[wordpress]

enabled = true
port = http,https
filter = wordpress
logpath = /var/log/auth.log
maxretry = 6

I restarted fail2ban /etc/init.d/fail2ban restart

This was all on an Ubuntu 12.04 system with apache2, php 5.3.x, I simply installed the wordpress plugin, installed fail2ban on the server (apt-get install fail2ban) and it installed some dependencies along with it.

I adjusted my ignoreip list to not ban my IP’s as well

Hope this helps.

Thread Starter onerock
(@onerock)

11 years, 5 months ago

Thanks for the assistance with this. I really appreciate it! The jail.local that is working for you causes my fail2ban service to fail on start up. This installation was pre-installed from my VPS provider, so I dug around and mimicked what I found pre-configured for jails for other services. It seems that I have everything running now successfully according to the logs. However, it appears that the filter may not be matching, so nothing is being banned. I have worked with this for some time this evening and am again out of ideas. Can you offer any further advice?

Here is my messages log excert…

Oct 27 23:07:29 fail2ban.jail : INFO Creating new jail ‘wordpress’
Oct 27 23:07:29 fail2ban.jail : INFO Jail ‘wordpress’ uses Inotify
Oct 27 23:07:29 ¿<30>fail2ban.filter : INFO Added logfile = /var/log/messages
Oct 27 23:07:29 ¿<30>fail2ban.filter : INFO Set maxRetry = 1
Oct 27 23:07:29 ¿<30>fail2ban.filter : INFO Set findtime = 600
Oct 27 23:07:29 fail2ban.actions: INFO Set banTime = 120
Oct 27 23:07:29 fail2ban.jail : INFO Jail ‘wordpress’ started
Oct 27 23:08:25 wordpress(MyDomain.com)[16114]: Authentication failure for someone from 108.162.216.245
Oct 27 23:08:34 wordpress(MyDomain.com)[18147]: Authentication failure for someone from 108.162.216.245
Oct 27 23:08:43 wordpress(MyDomain.com)[15927]: Authentication failure for someone from 108.162.216.245

Here is my jail.local

# This jail blocks WordPress login failures.
[wordpress]
enabled = true
filter = wordpress
action = sendmail-whois[name=wordpress, dest=root, sender=fail2ban@example.com]
iptables-multiport[name=wordpress, port=”80,443″, protocol=tcp]
logpath = /var/log/messages
maxretry = 1
bantime = 120

Here is my wordpress.conf (removed comments only to conserve space in this post)

[INCLUDES]
before = common.conf

[Definition]
_daemon = wordpress

failregex = ^%(__prefix_line)sauthentication failure for .* from <HOST>$

ignoreregex =

“iptables –list | grep fail2ban“
When I run the above command it appears to have the appropriate hooks in the iptables as other services.

target prot opt source destination
fail2ban-wordpress tcp — anywhere anywhere multiport dports http,https

Chain fail2ban-wordpress (1 references)
target prot opt source destination
RETURN all — anywhere anywhere

Plugin Author invisnet
(@invisnet)

11 years, 5 months ago

What does fail2ban-regex say? e.g.

fail2ban-regex /var/log/messages filter.d/wordpress.conf

in the fail2ban directory. That will tell you if the filter is working.

Thread Starter onerock
(@onerock)

11 years, 5 months ago

Thank you for your assistance!

It appears that the filter isn’t catching the authentication failures.

Oct 28 19:44:09 wordpress(MyDomain.com)[26603]: Authentication failure for someone from 8.8.8.8
Oct 28 19:44:33 wordpress(MyDomain.com)[23820]: Authentication failure for someone from 8.8.8.8

————————————————–
# fail2ban-regex /var/log/messages filter.d/wordpress.conf

Running tests
=============

Use regex file : filter.d/wordpress.conf
Use log file : /var/log/messages

Results
=======

Failregex
|- Regular expressions:
| [1] ^\s*(?:\S+ )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[$]?wordpress(?:\(\S+$)?[\]\)]?:?|[\[$]?wordpress(?:\(\S+$)?[\]\)]?:?(?:\[\d+\])?:)?\s*authentication failure for .* from <HOST>$
|

– Number of matches:
[1] 0 match(es)

Ignoreregex
|- Regular expressions:
|

– Number of matches:

Summary
=======

Sorry, no match

Plugin Author invisnet
(@invisnet)

11 years, 5 months ago

I think the problem is that you need a capital A at the start of Authentication. Everything else looks OK.

Thread Starter onerock
(@onerock)

11 years, 5 months ago

Thanks so much for sticking with this! I changed the filter file as follows, but no luck. 🙁

failregex = ^%(__prefix_line)sAuthentication failure for .* from <HOST>$

Could the issue be that __prefix_line isn’t translating correctly?

Common.conf
_daemon = \S*

__pid_re = (?:\[\d+\])

__daemon_re = [\[$]?%(_daemon)s(?:\(\S+$)?[\]\)]?:?

__daemon_combs_re = (?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)

__prefix_line = \s*(?:\S+ )?(?:@vserver_\S+ )?%(__daemon_combs_re)s?\s*

Plugin Author invisnet
(@invisnet)

11 years, 5 months ago

Does the sshd filter work with your fail2ban install?

The lines from your common.conf are the same as the default install so the wordpress filter should work – I’m just wondering if there’s a problem elsewhere.

Thread Starter onerock
(@onerock)

11 years, 5 months ago

Thanks for responding, I appreciate it.

I am alerted about SSH bans on a regular basis. I am not sure if they are truly blocked.

I actually got to filter somehow….

Message from syslogd@vps-1115096-13004 at Nov 6 18:05:34 …
¿<28>fail2ban.actions: WARNING [wordpress] Ban 8.8.8.8

But is doesn’t block anything. I have attempted several actions. Here is the current action.

From jail.local
action = sendmail-whois[name=wordpress, dest=root, sender=fail2ban@example.com]
iptables-multiport[name=Web, port=”80,443″, protocol=tcp]

The iptables-multiport.conf in the filter.d directory is default.

Viewing 8 replies - 1 through 8 (of 8 total)

The topic ‘restart of fail2ban service fails’ is closed to new replies.