Support » Plugin: WP fail2ban » restart of fail2ban service fails

  • I love the idea of this integration! I have installed all the bit and pieces, but when I restart the fail2ban service it fails to start. I believe that this is due to the action = pf. I am unfamiliar with this action or what it should be/could be. Can you offer some guidance to get me going in the right direction? I have attempted to search the Google machine, but didn’t find anything that appeared to be what I was looking for.

    My log in success/failures are in the “message” log file.
    Oct 22 17:59:11 vps-1111111-33333 wordpress(7.7.7.7)[7619]: Accepted password for xxxxxxx from 8.8.8.8
    Oct 22 18:09:58 vps-1111111-33333 wordpress(7.7.7.7)[7661]: Authentication failure for xxxxxxx from 8.8.8.8

    Thanks in advance for your assistance.

    Scott

    http://wordpress.org/extend/plugins/wp-fail2ban/

Viewing 8 replies - 1 through 8 (of 8 total)
  • Here’s an example of mine showing it working:

    2012-10-27 17:09:39,003 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.6
    2012-10-27 17:09:39,004 fail2ban.jail : INFO Creating new jail ‘ssh’
    2012-10-27 17:09:39,007 fail2ban.jail : INFO Jail ‘ssh’ uses Gamin
    2012-10-27 17:09:39,023 fail2ban.filter : INFO Added logfile = /var/log/auth.log
    2012-10-27 17:09:39,024 fail2ban.filter : INFO Set maxRetry = 6
    2012-10-27 17:09:39,025 fail2ban.filter : INFO Set findtime = 600
    2012-10-27 17:09:39,026 fail2ban.actions: INFO Set banTime = 600
    2012-10-27 17:09:39,055 fail2ban.jail : INFO Creating new jail ‘wordpress’
    2012-10-27 17:09:39,055 fail2ban.jail : INFO Jail ‘wordpress’ uses Gamin
    2012-10-27 17:09:39,056 fail2ban.filter : INFO Added logfile = /var/log/auth.log
    2012-10-27 17:09:39,056 fail2ban.filter : INFO Set maxRetry = 6
    2012-10-27 17:09:39,057 fail2ban.filter : INFO Set findtime = 600
    2012-10-27 17:09:39,057 fail2ban.actions: INFO Set banTime = 600
    2012-10-27 17:09:39,064 fail2ban.jail : INFO Jail ‘ssh’ started
    2012-10-27 17:09:39,072 fail2ban.jail : INFO Jail ‘wordpress’ started
    2012-10-27 17:09:41,135 fail2ban.actions: WARNING [wordpress] Ban 178.212.65.55
    2012-10-27 17:19:41,917 fail2ban.actions: WARNING [wordpress] Unban 178.212.65.55

    I copied the wordpress.conf into the /etc/fail2ban/filters.d folder

    I copied the /etc/fail2ban/jail.conf to /etc/fail2ban/jail.local

    I edited the jail.local to include this:

    [wordpress]

    enabled = true
    port = http,https
    filter = wordpress
    logpath = /var/log/auth.log
    maxretry = 6

    I restarted fail2ban /etc/init.d/fail2ban restart

    This was all on an Ubuntu 12.04 system with apache2, php 5.3.x, I simply installed the wordpress plugin, installed fail2ban on the server (apt-get install fail2ban) and it installed some dependencies along with it.

    I adjusted my ignoreip list to not ban my IP’s as well

    Hope this helps.

    Thanks for the assistance with this. I really appreciate it! The jail.local that is working for you causes my fail2ban service to fail on start up. This installation was pre-installed from my VPS provider, so I dug around and mimicked what I found pre-configured for jails for other services. It seems that I have everything running now successfully according to the logs. However, it appears that the filter may not be matching, so nothing is being banned. I have worked with this for some time this evening and am again out of ideas. Can you offer any further advice?

    Here is my messages log excert…

    Oct 27 23:07:29 fail2ban.jail : INFO Creating new jail ‘wordpress’
    Oct 27 23:07:29 fail2ban.jail : INFO Jail ‘wordpress’ uses Inotify
    Oct 27 23:07:29 ¿<30>fail2ban.filter : INFO Added logfile = /var/log/messages
    Oct 27 23:07:29 ¿<30>fail2ban.filter : INFO Set maxRetry = 1
    Oct 27 23:07:29 ¿<30>fail2ban.filter : INFO Set findtime = 600
    Oct 27 23:07:29 fail2ban.actions: INFO Set banTime = 120
    Oct 27 23:07:29 fail2ban.jail : INFO Jail ‘wordpress’ started
    Oct 27 23:08:25 wordpress(MyDomain.com)[16114]: Authentication failure for someone from 108.162.216.245
    Oct 27 23:08:34 wordpress(MyDomain.com)[18147]: Authentication failure for someone from 108.162.216.245
    Oct 27 23:08:43 wordpress(MyDomain.com)[15927]: Authentication failure for someone from 108.162.216.245

    Here is my jail.local

    # This jail blocks WordPress login failures.
    [wordpress]
    enabled = true
    filter = wordpress
    action = sendmail-whois[name=wordpress, dest=root, sender=fail2ban@example.com]
    iptables-multiport[name=wordpress, port=”80,443″, protocol=tcp]
    logpath = /var/log/messages
    maxretry = 1
    bantime = 120

    Here is my wordpress.conf (removed comments only to conserve space in this post)

    [INCLUDES]
    before = common.conf

    [Definition]
    _daemon = wordpress

    failregex = ^%(__prefix_line)sauthentication failure for .* from <HOST>$

    ignoreregex =

    iptables –list | grep fail2ban
    When I run the above command it appears to have the appropriate hooks in the iptables as other services.

    target prot opt source destination
    fail2ban-wordpress tcp — anywhere anywhere multiport dports http,https

    Chain fail2ban-wordpress (1 references)
    target prot opt source destination
    RETURN all — anywhere anywhere

    Plugin Author invisnet

    (@invisnet)

    What does fail2ban-regex say? e.g.

    fail2ban-regex /var/log/messages filter.d/wordpress.conf

    in the fail2ban directory. That will tell you if the filter is working.

    Thank you for your assistance!

    It appears that the filter isn’t catching the authentication failures.

    Oct 28 19:44:09 wordpress(MyDomain.com)[26603]: Authentication failure for someone from 8.8.8.8
    Oct 28 19:44:33 wordpress(MyDomain.com)[23820]: Authentication failure for someone from 8.8.8.8

    ————————————————–
    # fail2ban-regex /var/log/messages filter.d/wordpress.conf

    Running tests
    =============

    Use regex file : filter.d/wordpress.conf
    Use log file : /var/log/messages

    Results
    =======

    Failregex
    |- Regular expressions:
    | [1] ^\s*(?:\S+ )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?wordpress(?:\(\S+\))?[\]\)]?:?|[\[\(]?wordpress(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*authentication failure for .* from <HOST>$
    |

    – Number of matches:
    [1] 0 match(es)

    Ignoreregex
    |- Regular expressions:
    |

    – Number of matches:

    Summary
    =======

    Sorry, no match

    Plugin Author invisnet

    (@invisnet)

    I think the problem is that you need a capital A at the start of Authentication. Everything else looks OK.

    Thanks so much for sticking with this! I changed the filter file as follows, but no luck. 🙁

    failregex = ^%(__prefix_line)sAuthentication failure for .* from <HOST>$

    Could the issue be that __prefix_line isn’t translating correctly?

    Common.conf
    _daemon = \S*

    __pid_re = (?:\[\d+\])

    __daemon_re = [\[\(]?%(_daemon)s(?:\(\S+\))?[\]\)]?:?

    __daemon_combs_re = (?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)

    __prefix_line = \s*(?:\S+ )?(?:@vserver_\S+ )?%(__daemon_combs_re)s?\s*

    Plugin Author invisnet

    (@invisnet)

    Does the sshd filter work with your fail2ban install?

    The lines from your common.conf are the same as the default install so the wordpress filter should work – I’m just wondering if there’s a problem elsewhere.

    Thanks for responding, I appreciate it.

    I am alerted about SSH bans on a regular basis. I am not sure if they are truly blocked.

    I actually got to filter somehow….

    Message from syslogd@vps-1115096-13004 at Nov 6 18:05:34 …
    ¿<28>fail2ban.actions: WARNING [wordpress] Ban 8.8.8.8

    But is doesn’t block anything. I have attempted several actions. Here is the current action.

    From jail.local
    action = sendmail-whois[name=wordpress, dest=root, sender=fail2ban@example.com]
    iptables-multiport[name=Web, port=”80,443″, protocol=tcp]

    The iptables-multiport.conf in the filter.d directory is default.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘restart of fail2ban service fails’ is closed to new replies.