WordPress.org

Ready to get started?Download WordPress

Forums

WP fail2ban
restart of fail2ban service fails (9 posts)

  1. onerock
    Member
    Posted 1 year ago #

    I love the idea of this integration! I have installed all the bit and pieces, but when I restart the fail2ban service it fails to start. I believe that this is due to the action = pf. I am unfamiliar with this action or what it should be/could be. Can you offer some guidance to get me going in the right direction? I have attempted to search the Google machine, but didn't find anything that appeared to be what I was looking for.

    My log in success/failures are in the "message" log file.
    Oct 22 17:59:11 vps-1111111-33333 wordpress(7.7.7.7)[7619]: Accepted password for xxxxxxx from 8.8.8.8
    Oct 22 18:09:58 vps-1111111-33333 wordpress(7.7.7.7)[7661]: Authentication failure for xxxxxxx from 8.8.8.8

    Thanks in advance for your assistance.

    Scott

    http://wordpress.org/extend/plugins/wp-fail2ban/

  2. ideaman007
    Member
    Posted 1 year ago #

    Here's an example of mine showing it working:

    2012-10-27 17:09:39,003 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.6
    2012-10-27 17:09:39,004 fail2ban.jail : INFO Creating new jail 'ssh'
    2012-10-27 17:09:39,007 fail2ban.jail : INFO Jail 'ssh' uses Gamin
    2012-10-27 17:09:39,023 fail2ban.filter : INFO Added logfile = /var/log/auth.log
    2012-10-27 17:09:39,024 fail2ban.filter : INFO Set maxRetry = 6
    2012-10-27 17:09:39,025 fail2ban.filter : INFO Set findtime = 600
    2012-10-27 17:09:39,026 fail2ban.actions: INFO Set banTime = 600
    2012-10-27 17:09:39,055 fail2ban.jail : INFO Creating new jail 'wordpress'
    2012-10-27 17:09:39,055 fail2ban.jail : INFO Jail 'wordpress' uses Gamin
    2012-10-27 17:09:39,056 fail2ban.filter : INFO Added logfile = /var/log/auth.log
    2012-10-27 17:09:39,056 fail2ban.filter : INFO Set maxRetry = 6
    2012-10-27 17:09:39,057 fail2ban.filter : INFO Set findtime = 600
    2012-10-27 17:09:39,057 fail2ban.actions: INFO Set banTime = 600
    2012-10-27 17:09:39,064 fail2ban.jail : INFO Jail 'ssh' started
    2012-10-27 17:09:39,072 fail2ban.jail : INFO Jail 'wordpress' started
    2012-10-27 17:09:41,135 fail2ban.actions: WARNING [wordpress] Ban 178.212.65.55
    2012-10-27 17:19:41,917 fail2ban.actions: WARNING [wordpress] Unban 178.212.65.55

    I copied the wordpress.conf into the /etc/fail2ban/filters.d folder

    I copied the /etc/fail2ban/jail.conf to /etc/fail2ban/jail.local

    I edited the jail.local to include this:

    [wordpress]

    enabled = true
    port = http,https
    filter = wordpress
    logpath = /var/log/auth.log
    maxretry = 6

    I restarted fail2ban /etc/init.d/fail2ban restart

    This was all on an Ubuntu 12.04 system with apache2, php 5.3.x, I simply installed the wordpress plugin, installed fail2ban on the server (apt-get install fail2ban) and it installed some dependencies along with it.

    I adjusted my ignoreip list to not ban my IP's as well

    Hope this helps.

  3. onerock
    Member
    Posted 1 year ago #

    Thanks for the assistance with this. I really appreciate it! The jail.local that is working for you causes my fail2ban service to fail on start up. This installation was pre-installed from my VPS provider, so I dug around and mimicked what I found pre-configured for jails for other services. It seems that I have everything running now successfully according to the logs. However, it appears that the filter may not be matching, so nothing is being banned. I have worked with this for some time this evening and am again out of ideas. Can you offer any further advice?

    Here is my messages log excert...

    Oct 27 23:07:29 fail2ban.jail : INFO Creating new jail 'wordpress'
    Oct 27 23:07:29 fail2ban.jail : INFO Jail 'wordpress' uses Inotify
    Oct 27 23:07:29 ¿<30>fail2ban.filter : INFO Added logfile = /var/log/messages
    Oct 27 23:07:29 ¿<30>fail2ban.filter : INFO Set maxRetry = 1
    Oct 27 23:07:29 ¿<30>fail2ban.filter : INFO Set findtime = 600
    Oct 27 23:07:29 fail2ban.actions: INFO Set banTime = 120
    Oct 27 23:07:29 fail2ban.jail : INFO Jail 'wordpress' started
    Oct 27 23:08:25 wordpress(MyDomain.com)[16114]: Authentication failure for someone from 108.162.216.245
    Oct 27 23:08:34 wordpress(MyDomain.com)[18147]: Authentication failure for someone from 108.162.216.245
    Oct 27 23:08:43 wordpress(MyDomain.com)[15927]: Authentication failure for someone from 108.162.216.245

    Here is my jail.local

    # This jail blocks WordPress login failures.
    [wordpress]
    enabled = true
    filter = wordpress
    action = sendmail-whois[name=wordpress, dest=root, sender=fail2ban@example.com]
    iptables-multiport[name=wordpress, port="80,443", protocol=tcp]
    logpath = /var/log/messages
    maxretry = 1
    bantime = 120

    Here is my wordpress.conf (removed comments only to conserve space in this post)

    [INCLUDES]
    before = common.conf

    [Definition]
    _daemon = wordpress

    failregex = ^%(__prefix_line)sauthentication failure for .* from <HOST>$

    ignoreregex =

    "iptables --list | grep fail2ban"
    When I run the above command it appears to have the appropriate hooks in the iptables as other services.

    target prot opt source destination
    fail2ban-wordpress tcp -- anywhere anywhere multiport dports http,https

    Chain fail2ban-wordpress (1 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere

  4. invisnet
    Member
    Plugin Author

    Posted 1 year ago #

    What does fail2ban-regex say? e.g.

    fail2ban-regex /var/log/messages filter.d/wordpress.conf

    in the fail2ban directory. That will tell you if the filter is working.

  5. onerock
    Member
    Posted 1 year ago #

    Thank you for your assistance!

    It appears that the filter isn't catching the authentication failures.

    Oct 28 19:44:09 wordpress(MyDomain.com)[26603]: Authentication failure for someone from 8.8.8.8
    Oct 28 19:44:33 wordpress(MyDomain.com)[23820]: Authentication failure for someone from 8.8.8.8

    --------------------------------------------------
    # fail2ban-regex /var/log/messages filter.d/wordpress.conf

    Running tests
    =============

    Use regex file : filter.d/wordpress.conf
    Use log file : /var/log/messages

    Results
    =======

    Failregex
    |- Regular expressions:
    | [1] ^\s*(?:\S+ )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?wordpress(?:\(\S+\))?[\]\)]?:?|[\[\(]?wordpress(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*authentication failure for .* from <HOST>$
    |

    - Number of matches:
    [1] 0 match(es)

    Ignoreregex
    |- Regular expressions:
    |

    - Number of matches:

    Summary
    =======

    Sorry, no match

  6. invisnet
    Member
    Plugin Author

    Posted 1 year ago #

    I think the problem is that you need a capital A at the start of Authentication. Everything else looks OK.

  7. onerock
    Member
    Posted 1 year ago #

    Thanks so much for sticking with this! I changed the filter file as follows, but no luck. :(

    failregex = ^%(__prefix_line)sAuthentication failure for .* from <HOST>$

    Could the issue be that __prefix_line isn't translating correctly?

    Common.conf
    _daemon = \S*

    __pid_re = (?:\[\d+\])

    __daemon_re = [\[\(]?%(_daemon)s(?:\(\S+\))?[\]\)]?:?

    __daemon_combs_re = (?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)

    __prefix_line = \s*(?:\S+ )?(?:@vserver_\S+ )?%(__daemon_combs_re)s?\s*

  8. invisnet
    Member
    Plugin Author

    Posted 1 year ago #

    Does the sshd filter work with your fail2ban install?

    The lines from your common.conf are the same as the default install so the wordpress filter should work - I'm just wondering if there's a problem elsewhere.

  9. onerock
    Member
    Posted 1 year ago #

    Thanks for responding, I appreciate it.

    I am alerted about SSH bans on a regular basis. I am not sure if they are truly blocked.

    I actually got to filter somehow....

    Message from syslogd@vps-1115096-13004 at Nov 6 18:05:34 ...
    ¿<28>fail2ban.actions: WARNING [wordpress] Ban 8.8.8.8

    But is doesn't block anything. I have attempted several actions. Here is the current action.

    From jail.local
    action = sendmail-whois[name=wordpress, dest=root, sender=fail2ban@example.com]
    iptables-multiport[name=Web, port="80,443", protocol=tcp]

    The iptables-multiport.conf in the filter.d directory is default.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.