I'm going crazy to find a solution to fail2ban config with wordpress custom filter. Also if I setup filter and seems to work, I have login error, but ban dosnt work. 2016-01-05 14:45:30,303 fail2ban.actions: WARNING [wordpress] Ban 31.7.187.xxx 2016-01-05 15:03:51,564 fail2ban.actions: WARNING [wordpress] 31.7.187.xxx already banned 2016-01-05 15:04:28,602 fail2ban.actions: WARNING [wordpress] 31.7.187.xxx already banned 2016-01-05 15:04:42,617 fail2ban.actions: WARNING [wordpress] 31.7.187.xxx already banned My custom filter: Code: # Fail2Ban configuration file # # Author: Charles Lecklider # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = wordpress # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # failregex = ^%(__prefix_line)sAuthentication failure for .* from <HOST>$ ^%(__prefix_line)sBlocked authentication attempt for .* from <HOST>$ ^%(__prefix_line)sBlocked user enumeration attempt from <HOST>$ ^%(__prefix_line)sPingback requested from <HOST>$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = My jail.local Code: [ispconfig] enabled = true "/etc/fail2ban/jail.local" 57L, 1251C 13,0-1 Cim [ispconfig] enabled = true port = 8080 filter = ispconfig logpath = /var/log/ispconfig/auth.log maxretry = 3 [wordpress] enabled = true filter = wordpress banaction = route logpath = /var/log/auth.log port = http,https maxretry = 5 bantime = 360000 my action (is route but also with multi tables was already banned: Code: # Fail2Ban configuration file [Definition] actionban = ip route add unreachable <ip> actionunban = ip route del unreachable <ip> debian wheezy php 5.3 any help, ideas, suggest ? ispconfig filter works as a charm ah I forgot I setup in wordpress the plugin wp-fail2ban.2.3.2 this is the log auth.log Code: Jan 5 15:08:16 servermio wordpress(www.ttt.it)[5355]: Authentication failure for dd from 31.7.187.xxx Jan 5 15:08:21 servermio wordpress(www.ttt.it)[5357]: Authentication failure for dd from 31.7.187.xxx Jan 5 15:08:24 servermio wordpress(www.ttt.it)[5357]: Authentication failure for dd from 31.7.187.xxx
fail2ban recognizes that the ip address is already banned, that would suggest that the filter is fine/working, and the problem is in your banaction - ie. it is not actually blocking the ip address. Have you restarted fail2ban? Do you have any other filters using the 'route' banaction that do work? Does 'ip route list | grep unreachable' list that ip (or any others)? Find some ip address you can ping, run the 'ip route add unreachable addr' command for that ip address, and are you now unable to ping it? I remember scratching my head over a banned ip address getting unbanned before the bantime was up once and it turned out to be 2 fail2ban jails interacting, with the same unbanaction. IIRC, the host triggered more than one jail in a short time, and one jail had a much shorter bantime than another one, so it got unbanned (from the first jail's short bantime), then the second jail kept complaining that it was already banned. That should show up by searching for the ip address in question in fail2ban's log though; did you search for that (ip address) or just for 'wordpress' (jail name)?
Thx Jesse for your reply and time. I just take a look of the fail2ban.log to undesrstand if it appends always or only some times. I see that the already banned was when I unban the ip manually (it was a ip I was using to test the plugin) After this, I see that there are no other already banned ip. In my opinion this could be, maybe, the manual unban that is not working in right way. The nes question is now (after 48 hrs of test) and 2 different server (non only on ispconfig panel) : why if this is my filter: Code: [wordpress] enabled = true filter = wordpress banaction = route logpath = /var/log/auth.log port = http,https maxretry = 5 bantime = 3600 some times I have ban only after 200 attempts and some other after 5 (the right retry) ? here right now from fail2ban log Code: 2016-01-06 22:40:31,374 fail2ban.actions: WARNING [wordpress] Ban 159.253.7.222 2016-01-06 22:41:46,027 fail2ban.actions: WARNING [wordpress] Ban 77.74.54.129 here from 2 alert mail: Code: The IP 159.253.7.222 has just been banned by Fail2Ban after 200 attempts against wordpress. The IP 77.74.54.129 has just been banned by Fail2Ban after 200 attempts against wordpress. this is auth.log, 200 times :O same times and second for all 200 Code: Jan 6 22:41:44 mioserver wordpress(www.mioserver .it)[31961]: Authentication failure for admin from 77.74.54.129 Jan 6 22:41:44 mioserver wordpress(www.mioserver .it)[31961]: Authentication failure for admin from 77.74.54.129 Jan 6 22:41:44 mioserver wordpress(www.mioserver .it)[31961]: Authentication failure for admin from 77.74.54.129 maybe regex in wordpress.conf ? see previus or next Code: failregex = ^%(__prefix_line)sAuthentication failure for .* from <HOST>$ ^%(__prefix_line)sBlocked authentication attempt for .* from <HOST>$ ^%(__prefix_line)sBlocked user enumeration attempt from <HOST>$ ^%(__prefix_line)sPingback requested from <HOST>$
What is the timestamp for a set of 200 attempts? If the requests come in fast, it's common to have more than one before fail2ban catches and blocks it, especially depending on how fail2ban monitors for changes to the log file. 200 sounds pretty high for a normal scenario, but probably not unrealistic (especially if something allowed multiple login attempts per request, like https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-wordpress-xmlrpc.html).
thx again..I will check...about timestamp where i can find it ? :O find filter...test and is ok fail2ban-regex /var/www/miosito.it/log/access.log /etc/fail2ban/filter.d/apache-xmlrpc.conf Code: Results ======= Failregex |- Regular expressions: | [1] ^<HOST> .*POST .*xmlrpc\.php.* | `- Number of matches: [1] 7 match(es) Ignoreregex |- Regular expressions: | `- Number of matches: Summary ======= Addresses found: [1] 176.119.33.160 (Wed Jan 06 04:05:26 2016) 183.111.174.72 (Wed Jan 06 09:25:58 2016) 185.26.122.13 (Wed Jan 06 12:11:31 2016) 89.161.207.30 (Wed Jan 06 14:22:31 2016) 198.187.29.14 (Wed Jan 06 14:52:35 2016) 85.128.142.14 (Wed Jan 06 19:12:39 2016) 77.74.54.129 (Wed Jan 06 22:41:43 2016) BUT, there is a but...how call all vhost in fail2ban path ? /var/www/*/log/access.log ?? but fail2ban give me error when try to open a access.log in another vhost Code: 2016-01-06 23:55:18,727 fail2ban.comm : WARNING Invalid command: ['set', 'apache-xmlrpc', 'addlogpath', '/var/www/miosito2.it/log/access.log']
Just the logs, eg. the auth.log snippet you just posted shows 'Jan 6 22:41:44' for all three entries - what's the time range for the first and last of a set of 200 ?
if they're all the same, that just means you had a *lot* of requests in that 1 second period (if exactly 200 every time, you probably have something else like a firewall/security plugin that is cutting those off at exactly 200) - nothing to worry about, fail2ban will just block on the first one and then complain 199 times that it's already banned.
ok, I hope also because there are some (very low) brute force stopped at 5, but many are stopped at 199/200 attempts: For who is interessed in apache-xmlrpc to add in jail.local this is the working of mine for ispconfig: Code: [apache-xmlrpc] enabled = true port = http,https filter = apache-xmlrpc logpath = /var/www/*/log/access.log maxretry = 5 bantime = 3600
