Doesn't seem to block IPs

Hi.

The first you need to check fail2ban regex ruleset.

fail2ban-regex /var/log/messages /etc/fail2ban/filter.d/wordpress.conf
change log file if your attempts records are in /var/log/auth.log

The second you need check if default fail2ban action works.
But I never use defaults fail2ban. Much better for me is declare all what I need manually.

[apache-wp-login]
enabled  = true
filter   = apache-wp-login
action   = iptables-HTTP[name=CMS]
logpath  = /var/log/messages
maxretry = 3
findtime = 120

Look there my options for fail2ban, wp-fail2ban and iptables.

And the last, have you fail2ban restarted after change settings?
service fail2ban restart

I am having the same issue. I believe it is setup correctly. Fail2ban works for SSH etc.

Here are my logs after failed attempts:

Mar 16 06:53:33 server-user wordpress(domain.com.au)[9254]: Authentication failure for test from 168.1.6.52
Mar 16 06:53:36 server-user wordpress(domain.com.au)[9604]: Authentication failure for erh from 168.1.6.52
Mar 16 06:53:40 server-user wordpress(domain.com.au)[9281]: Authentication failure for fgnr from 168.1.6.52
Mar 16 06:53:47 server-user wordpress(domain.com.au)[9254]: Authentication failure for fgnr from 168.1.6.52

I used a VPN so it didnt ignore my IP. Here is my wordpress.conf as provided:

before = common.conf

[Definition]

_daemon = wordpress

failregex = ^%(__prefix_line)sAuthentication failure for .* from <HOST>$
            ^%(__prefix_line)sBlocked authentication attempt for .* from <HOST>$
            ^%(__prefix_line)sBlocked user enumeration attempt from <HOST>$
            ^%(__prefix_line)sPingback requested from <HOST>$

ignoreregex =

And my jail.local setting for wordpress

#WordPress Plugin addition
[wordpress]
enabled = true
port = http,https
filter = wordpress
logpath = /var/log/auth.log
maxretry = 3

I don’t understand why it’s not working. I am assuming has something to do with regex in the wordpress.conf, but I can’t understand that very well.

Any ideas?

Thanks

Try setting WP_FAIL2BAN_SYSLOG_SHORT_TAG – you’ll need to upgrade to version 3.0 of WPf2b first.

The copy I installed yesterday via automatic updates came without the .* in the “hard” version under:

failregex = ^%(__prefix_line_wp)sAuthentication attempt for unknown user .* from <HOST>$

Adding the missing .* solved the problem for me (didn’t block IPs).

The copy I installed yesterday via automatic updates came without the .* in the “hard” version under:

failregex = ^%(__prefix_line_wp)sAuthentication attempt for unknown user .* from <HOST>$
Adding the missing .* solved the problem for me (didn’t block IPs).

@gniksic Thank you! This solved the same problem I was having, you rock. Also, thank you @invisnet for building such an awesome plugin ??

Hey,

I upgrade plugin to latest then noticed that my wordpress.conf was missing the .* and added it.

I ran:

sudo fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/wordpress.conf

Running tests
=============

Use failregex file : /etc/fail2ban/filter.d/wordpress.conf
Use log file : /var/log/auth.log

Results
=======

Failregex: 36 total
|- #) [# of hits] regular expression
| 1) [36] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?(?:wordpress|wp)(?:\(\S+\))?[\]\)]?:?|[\[\(]?(?:wordpress|wp)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*Authentication attempt for unknown user .* from <HOST>$

-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [768] MONTH Day Hour:Minute:Second

–

Lines: 768 lines, 0 ignored, 36 matched, 732 missed
Missed line(s): too many to print. Use –print-all-missed to print all 732 lines

Which work by picking up the failed attempts finally.

However, Fail2Ban is still not blocking any IP’s .

sudo fail2ban-client status wordpress

Status for the jail: wordpress
|- filter
| |- File list: /var/log/auth.log
| |- Currently failed: 0
| `- Total failed: 0

- action
   |- Currently banned:	0
   |

– IP list:
`- Total banned: 0

I added this to my functions.php as per invisnet:
WP_FAIL2BAN_SYSLOG_SHORT_TAG

Because of this do I need to change the filter in the jail or wordpress.conf?

sudo tail -n 25 /var/log/auth.log

Mar 30 19:41:43 server-name wp(server-name.com.au)[1752]: Authentication attempt for unknown user admin from 123.123.123.123
Mar 30 19:41:49 server-name wp(server-name.com.au)[1705]: Authentication attempt for unknown user test from 123.123.123.123
Mar 30 19:41:53 server-name wp(server-name.com.au)[2198]: Authentication attempt for unknown user test from 123.123.123.123
Mar 30 19:41:57 server-name wp(server-name.com.au)[1752]: Authentication attempt for unknown user test from 123.123.123.123
Mar 30 19:42:06 server-name wp(server-name.com.au)[2198]: Authentication attempt for unknown user test from 123.123.123.123

my wordpress.conf as updated:

before = common.conf
[Definition]
_daemon = (?:wordpress|wp)
failregex = ^%(__prefix_line)sAuthentication attempt for unknown user .* from <HOST>$
^%(__prefix_line)sBlocked authentication attempt for .* from <HOST>$
^%(__prefix_line)sBlocked user enumeration attempt from <HOST>$
^%(__prefix_line)sPingback error .* generated from <HOST>$

I tried adding _wp to the __prefix_line e.g. __prefix_line_wp as per someone else’s example above but fail2ban would fail to restart.

sudo service fail2ban status

● fail2ban.service – LSB: Start/stop fail2ban
Loaded: loaded (/etc/init.d/fail2ban)
Active: active (exited) since Thu 2016-03-31 09:34:23 AEST; 13s ago
Process: 3494 ExecStop=/etc/init.d/fail2ban stop (code=exited, status=0/SUCCESS)
Process: 3501 ExecStart=/etc/init.d/fail2ban start (code=exited, status=0/SUCCESS)

Mar 31 09:34:23 server-name.com.au fail2ban[3501]: Starting authentication failure monitor: fail2banERROR Failed during configuration: Bad value substitution:
Mar 31 09:34:23 server-name.com.au fail2ban[3501]: section: [Definition]
Mar 31 09:34:23 server-name.com.au fail2ban[3501]: option : failregex
Mar 31 09:34:23 server-name.com.au fail2ban[3501]: key : __prefix_line_wp
Mar 31 09:34:23 server-name.com.au fail2ban[3501]: rawval : Authentication attempt for unknown user .* from <HOST>$
Mar 31 09:34:23 server-name.com.au fail2ban[3501]: ^%(__prefix_line_wp)sBlocked authentication attempt for .* from <HOST>$
Mar 31 09:34:23 server-name.com.au fail2ban[3501]: ^%(__prefix_line_wp)sBlocked user enumeration attempt from <HOST>$
Mar 31 09:34:23 server-name.com.au fail2ban[3501]: ^%(__prefix_line_wp)sPingback error .* generated from <HOST>$
Mar 31 09:34:23 server-name.com.au fail2ban[3501]: failed!

Could it have something to do with the action. My jail default action is action = %(action_mwl)s should I set something different for [wordpress]?

Also I did some googling and came across something about established connections, not sure if this would cause any issues. I run my server using HTTPS with keepalive_timeout 70; in my nginx server block.

Any help would be greatly appreciated.

Thank you.

Sorry, the “_wp” I added was there because I needed it on my system, but the “fix” was adding the “.*” in that place. I had to define another prefix which changed the way dates are parsed. Most people won’t need that, and in fact the _wp prefix won’t even exist since I constructed it manually.

Now, in case you might need the new prefix line, here’s mine, added to common.local, which I use instead of common.conf:

__bsd_syslog_verbose_wp = (<[^.]+\.[^.]+>)
__prefix_line_wp = \s*%(__bsd_syslog_verbose_wp)s?\s*(?:%(__hostname)s )?(?:%(__kernel_prefix)s )?(?:@vserver_\S+ )?%(__daemon_combs_re)s?\s%(__daemon_extra_re)s?\s*

I haven’t tried, but perhaps this isn’t even needed any more after the recent updates I made…

Hello tmacka88,

thank you for the tip about the bad regex. It’s really too bad this plugin is not properly maintained.

We had the same issue with no action being taken, but then we realized we have to edit the /etc/fail2ban/jail.local file as anything in /etc/fail2ban/jail.d/ was ignored.

Thanks,
Martin

tmacka88, did you find it out? I have the same problem.

fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/wordpress.conf

Running tests
=============

Use   failregex file : /etc/fail2ban/filter.d/wordpress.conf
Use         log file : /var/log/auth.log

Results
=======

Failregex: 74 total
|-  #) [# of hits] regular expression
|   7) [74] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?wordpress(?:\(\S+\))?[\]\)]?:?|[\[\(]?wordpress(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*Pingback error \d+ generated from <HOST>$

–

fail2ban-client status wordpress
Status for the jail: wordpress
|- filter
|  |- File list:	/var/log/auth.log
|  |- Currently failed:	0
|

– Total failed: 0

- action
   |- Currently banned:	0
   |

– IP list:
`- Total banned: 0
`

Hi Invisnet,

We’d like to contribute back our fixes for wpfail2ban so it will work out of the box for more people. While, wpfail2ban a great idea and has some good code in it, it’s crazy that almost everyone who uses the plugin has to customize it to get it to work on their own hosting.

Is the plugin up at GitHub or could you add as authors here (in which case we’ll send you some alternate changes in SVN)?

Thanks.

Alec

@foliovision

would you mind posting your fixes independently?

Adding this to jail.local fixed my problem in ubuntu 14.04 LTS:

[DEFAULT]
backend = polling

@foliovision: If you’ve something to contribute to the plugin that you can’t post here, email me.

Hi Invisnet,

Could you pleasee put the plugin up on Github or Bitbucket where we can collaborate using standard tools. Thanks!

Alec