Support » Plugin: WP fail2ban » I have a love-hate relationship with this plugin…

  • Ok, this is the kind of plugin I keep installing and deinstalling over time…

    Firstly: I’m no stranger to fail2ban, but I’m not really an expert in designing my own filters, either. I still know enough fail2ban-fu to tackle some tricky issues; ultimately, 90% of the complexity is in setting the correct regexps to catch log errors β€” that’s easy enough to do πŸ™‚

    Secondly: as an experienced system administrator, the extra goodies that come with the subscription model are not really worth the expense. Some of those goodies are basically just automating procedures for those that aren’t really familiar with fail2ban. Sure, the so-called Blocklist Network Service (BNS) is quite useful for preemptively block malicious IP addresses; but, as others have said elsewhere, you can pretty much accomplish the same with many other tools (most of them free). I mostly use AbuseIPDB (as well as the free version of WordFence), but your mileage may vary.

    Thirdly: aye, the constant nagging to upgrade to Premium is annoying. After a while it gets on your nerves. Sure, programmers need to eat, too, so I perfectly understand the need to grab the user’s attention. I personally would prefer a one-shot fee to get most of the Premium functionality, or at least a way to turn off the constant nagging, like others already suggested; committing to a permanent subscription plan, no matter how cheap, is not really an option for those, like myself, who have irregular sources of income, and have to keep recurring payments at the bare minimum (e.g. utility bills…). I’d be fine to have very limited ‘Premium’ features for a single payment, and, sure, I’d pay US$40 for the privilege of not getting constantly nagged about upgrading…

    Fourthly: documentation. It’s clear that Charles has put a huge effort in writing the documentation. Alas, the brunt of the effort was done around version 2 of wp-fail2ban. Recent features are barely documented, if at all (sometimes you only know that a feature exists, but have no idea about its purpose; sometimes there isn’t even an empty page for said feature, so you have no way to know if it exists at all or not β€” short of taking a look at the source code, that is).

    Put in other words: to do the basics, there is enough documentation. To go a little further than that, or to figure out how to activate a recently introduced feature… well, there is often not enough help for that on the documentation. If you really need that feature, I guess you’ll have a good incentive to go Premium πŸ™‚

    That said, is this plugin really that useful? You bet it is!

    There are a few other plugins attempting to do the same β€” i.e. integrating the WordPress logs with fail2ban β€” but they don’t come even close. WP Fail2Ban goes way, way further than other plugins. A lot of features have been very cleverly implemented (for instance, even if a hacker gets access to your website’s admin panel, despite all the protections, they’ll have a tough time to fully disable the plugin…) and work quite well in practice. What is not even mentioned on the documentation is that, by default, if you host a lot of websites, and all of them have WP Fail2Ban active, then a single filter on fail2ban will deal with blocking them all. That’s because WP Fail2Ban will add entries to syslog β€” which is common to the whole system. This is far better (and much faster!) than scanning each individual virtual host’s logs! Also, you get correlations that aren’t obvious, and can act upon those as well.

    Imagine the following scenario: a malicious hacker figured out that your server’s IP address is actually hosting hundreds of separate websites. They have a brute-force script to try to guess passwords, but they also know that most WordPress installations, even quite basic ones, will block failed attempts after a while. So, what they do is to run the script across all websites, one by one, giving plenty of time between attempts β€” thus expecting to evade the most basic defence. A website that sees three failed logins in ‘quick’ succession can block that IP address effectively. But websites are independent of each other, so they cannot know if the others are being simultaneously being attacked or not; eventually, the failed attempt is ‘forgotten’ over time, and even if a request comes from the same IP address after an hour or two, it’s likely that the defence system might not associate one thing with the other. It’s just repeated attempts for the same login (usually from the same IP!) that trigger most alarms…

    Not so with WP Fail2Ban. Those hundreds of sites will all promptly log a failed attempt to the same universal log, syslog. Thus, fail2ban will immediately notice that there is someone attempting to log in β€” and failing all the time β€” on any of the websites, and, as a result, will count failed attempts on one site towards a common total. The result? Such a brute-force attack can easily be detected, promptly logged, and blocked β€” for all websites, not just for one!

    Even if you run multiple servers, each with different physical IP addresses, that’s not a problem. syslog can be configured to accept remote logging from multiple sources. You might need to do a bit of tinkering (i.e. deciding which logging facility will be kept on the local machine, and which will be stored remotely), but such a configuration is certainly possible (WP Fail2Ban can be configured to use any syslog logging level/facility!). Sure, this requires a bit of extra scripting, but it’s not a really hard thing to do β€” especially if you are able to instruct fail2ban to block IP addresses at the level of a common (physical) firewall.

    A very easy way to accomplish the same is to use something like Cloudflare: configure fail2ban to use Cloudflare’s API to block an IP address at their firewall, and that address will be automatically blocked for all websites you’ve got protected with Cloudflare. All that for the modest cost of zero dollars.

    Another interesting feature is the ability to extend WP Fail2Ban with additional plugins. A few can be activated directly from the WordPress Plugin Library (e.g. to protect your Contact 7 or Gravity forms). But you can also write your own plugins to deal with particular configuration. This mostly means telling WP Fail2Ban what to trigger and write to syslog, and adding a fail2ban filter to seek for that message and process it accordingly. That way, you can add lots of additional functionalities that are not present in the ‘core’ WP Fail2Ban plugin, but which might be quite useful.

    Here is an example. fail2ban is mostly used to ban IP addresses, but it can do a lot more: an easy example is just to alert the system administrator that something is not working as it should, and send them an email (or a tweet, or something…). You can write a simple plugin to check for available memory (available to WordPress, that is), and if it’s excessive (according to your own rules!), write a message to whatever syslog level you wish β€” and let fail2ban pick it up from there, eventually sending an alert. While this can be accomplished in several different ways, from the perspective of a system administrator, it’s more manageable to have a ‘common’ framework for identifying malfunctions and/or (possible) security issues and configure them from the same interface (in this case, fail2ban scripts). By combining the ability of WP Fail2Ban to potentially register whatever is happening with your WP installation and write a message to syslog about it, and having fail2ban picking up those messages and extract a pattern that shows that something is wrong, you can effectively build a complex system around those tools that can give you a lot of insight on what’s going on with your websites β€” and automate many of the tasks (fail2ban can attempt to restart a PHP instance that has been consistently reporting many out-of-memory errors, for example).

    I’m aware that there is a plethora of such tools available (New Relic comes to mind β€” just because it has a free tier, and it’s enterprise-grade instrumentation), but combining the power of WP Fail2Ban with fail2ban itself and using syslog as a way to pass messages between both β€” that’s pure genius, and a very clean and elegant way of doing even complex, automated tasks, just by using off-the-shelf tools (most of them free!).

    You can see that I have listed way more reasons why I love the concept behind WP Fail2Ban than the reasons why I hate it. I would say that it’s the kind of plugin that you will actively use (it works in the background, after all), even though you can achieve similar results by adding lots of clever rules on fail2ban (without needing the extra help from WP Fail2Ban, that is). There are always trade-offs to consider β€” for example, where are you more comfortable dealing with security, at the WordPress level, or at the operating system level? (the correct answer, of course, is ‘both’ β€” but that might not be an option for everyone)

    Also, I’d rate WP Fail2Ban as being a ‘comparatively light’ plugin. It does use a few database calls, just for presenting the last five reported incidents on the dashboard β€” but you can even turn those off and save the cost of those database accesses. After all, most of the work will be done by fail2ban anyway β€” running silently in the background. WP Fail2Ban is just a very sophisticated logging tool (and the ‘core’ WP engine already does its share of logging, so it’s not too much extra work), mostly providing a reasonably easy interface inside WordPress to configure how those ‘special’ logs ought to be written to syslog; that will hardly put too much stress on your own system (and syslog is designed to handle that stress!).

    A last note: I’ve repeatedly mentioned that WP Fail2Ban relies on syslog to write appropriate messages to it that fail2ban can capture and process, but there are different ways to configure it β€” you can bypass syslog, write the logs elsewhere (even on a memory-based filesystem, if you wish!), and just process these with fail2ban (which is rather agnostic about where it should look for logs). Using syslog (especially its built-in remote logging facilities!) might be a better solution in many scenarios, but it’s not a requirement for you to use WP Fail2Ban.

  • You must be logged in to reply to this review.