cellulosa
Forum Replies Created
-
Forum: Plugins
In reply to: [WP fail2ban - Advanced Security] Varnish configurationSorted! I rolled back to the simple setup, thus only with a single
/etc/fail2ban/filters.d/wordpress.conf(instead of this as I mentioned above) in which I merged togetherwordpress-soft.confandwordpress-hard.conf, like so:# Fail2Ban configuration file # # Author: Charles Lecklider # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = (?:wordpress|wp) # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # failregex = ^%(__prefix_line)sAuthentication attempt for unknown user .* from <HOST>$ ^%(__prefix_line)sBlocked authentication attempt for .* from <HOST>$ ^%(__prefix_line)sBlocked user enumeration attempt from <HOST>$ ^%(__prefix_line)sPingback error .* generated from <HOST>$ ^%(__prefix_line)sAuthentication failure for .* from <HOST>$ ^%(__prefix_line)sXML-RPC authentication failure from <HOST>$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =And than configured
/etc/fail2ban/jail.conflike so:[wordpress] enabled = true port = http,https filter = wordpress logpath = /var/log/secureTo which I simply added:
action = iptables-allportsnow it works!
Credit here: https://www.drupal.org/node/772238
Forum: Plugins
In reply to: [WP fail2ban - Advanced Security] Update ReadmeYep, good point. I’m not sure either how to handle them, so for the time being I’ve just created a single
wordpress.confwith all of the rules all together:failregex = ^%(__prefix_line)sAuthentication failure for .* from <HOST>$ ^%(__prefix_line)sXML-RPC authentication failure from <HOST>$ ^%(__prefix_line)sAuthentication attempt for unknown user .* from <HOST>$ ^%(__prefix_line)sBlocked authentication attempt for .* from <HOST>$ ^%(__prefix_line)sBlocked user enumeration attempt from <HOST>$ ^%(__prefix_line)sPingback error .* generated from <HOST>$Forum: Plugins
In reply to: [WP fail2ban - Advanced Security] wordpress-hard.conf failregexI think it should actually be:
failregex = ^%(__prefix_line)sAuthentication attempt for unknown user .* from <HOST>$Forum: Plugins
In reply to: [WP fail2ban - Advanced Security] Varnish configurationLatest update:
I realised I had to add the
LOG_AUTHPRIVconfiguration, because that’s what my server uses forsshd. Mywp-config.phpnow looks like this:/** WPfail2ban */ define('WP_FAIL2BAN_PROXIES','my.ser.ver.ip'); define('WP_FAIL2BAN_AUTH_LOG',LOG_AUTHPRIV);Varnish is configured as written in my previous post.
fail2ban is configured following younghacker’s setup, but with
logpath = /var/log/secureNow if I
tail -f /var/log/secureI can see my ip getting logged in correctly for Authentication failure, and if Ifail2ban-client status apache-wp-loginI also see my ip in the Banned IP list.Still, I am not kicked out from trying to login to WP. Any idea of what else am I missing?
Forum: Plugins
In reply to: [WP fail2ban - Advanced Security] Varnish configurationOk the above worked. I had to put my server ip in
WP_FAIL2BAN_PROXIESand now I can see/var/log/messagespopulating correctly:Apr 19 14:51:07 droplet wordpress(website.com)[2292]: Authentication attempt for unknown user asd from my.ip.add.ressHowever, now it is not loggin the failues, as
fail2ban-client status apache-wp-logindoes not change in terms of numbers. Is it related to https://wordpress.org/support/topic/not-logging-wp-login-failures-300?replies=1 ?Forum: Plugins
In reply to: [WP fail2ban - Advanced Security] Varnish configurationOk, so I have set the following in
/etc/varnish/default.vclin thesub vcl_recvblock:if (req.restarts == 0) { # set or append the client.ip to X-Forwarded-For header if (req.http.X-Forwarded-For) { set req.http.X-Forwarded-For = req.http.X-Forwarded-For + ", " + client.ip; } else { set req.http.X-Forwarded-For = client.ip; } }And then:
sub vcl_pipe { set bereq.http.connection = "close"; return (pipe); }Source: http://www.harecoded.com/determining-the-real-client-ip-with-varnish-w-x-forwarded-for-2177289
Now, should
WP_FAIL2BAN_PROXIESbe set to my public IP address?Forum: Plugins
In reply to: [WP fail2ban - Advanced Security] Varnish configurationHi anewmind,
thank you very much for sharing with us your solution! I’ve implemented it and now I can see the correct IP address in
/var/log/messages.Mar 22 10:12:13 droplet wordpress(www.website.com)[32588]: Authentication failure for asd from my.ipa.ddr.essI’ve implemented younghacker’s recommended fail2ban config (https://github.com/younghacker/wp-fail2ban/tree/master/fail2ban) and everything seems working in the sense that my ip is getting blocked if I check with
fail2ban-client status apache-wp-login:Status for the jail: apache-wp-login |- Filter | |- Currently failed: 0 | |- Total failed: 13 | \- File list: /var/log/messages \- Actions |- Currently banned: 1 |- Total banned: 2 \- Banned IP list: my.ipa.ddr.essStill, I am not locked out from WordPress. Any idea of where the issue could be?