Fail2ban already banned with custom filter

Discussion in 'General' started by bubaweb, Jan 5, 2016.

  1. bubaweb

    bubaweb New Member

    I'm going crazy to find a solution to fail2ban config with wordpress custom filter.
    Also if I setup filter and seems to work, I have login error, but ban dosnt work.

    2016-01-05 14:45:30,303 fail2ban.actions: WARNING [wordpress] Ban 31.7.187.xxx
    2016-01-05 15:03:51,564 fail2ban.actions: WARNING [wordpress] 31.7.187.xxx already banned
    2016-01-05 15:04:28,602 fail2ban.actions: WARNING [wordpress] 31.7.187.xxx already banned
    2016-01-05 15:04:42,617 fail2ban.actions: WARNING [wordpress] 31.7.187.xxx already banned
    My custom filter:
    Code:
    # Fail2Ban configuration file
    #
    # Author: Charles Lecklider
    #
    
    [INCLUDES]
    
    # Read common prefixes. If any customizations available -- read them from
    # common.local
    before = common.conf
    
    
    [Definition]
    
    _daemon = wordpress
    
    # Option:  failregex
    # Notes.:  regex to match the password failures messages in the logfile. The
    #          host must be matched by a group named "host". The tag "<HOST>" can
    #          be used for standard IP/hostname matching and is only an alias for
    #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
    # Values:  TEXT
    #
    failregex = ^%(__prefix_line)sAuthentication failure for .* from <HOST>$
                ^%(__prefix_line)sBlocked authentication attempt for .* from <HOST>$
                ^%(__prefix_line)sBlocked user enumeration attempt from <HOST>$
                ^%(__prefix_line)sPingback requested from <HOST>$
    
    # Option:  ignoreregex
    # Notes.:  regex to ignore. If this regex matches, the line is ignored.
    # Values:  TEXT
    #
    ignoreregex =
    My jail.local
    Code:
    [ispconfig]
    enabled  = true
    "/etc/fail2ban/jail.local" 57L, 1251C                                                                                                                           13,0-1        Cim
    [ispconfig]
    enabled  = true
    port     = 8080
    filter   = ispconfig
    logpath  = /var/log/ispconfig/auth.log
    maxretry = 3
    
    [wordpress]
    enabled = true
    filter = wordpress
    banaction = route
    logpath = /var/log/auth.log
    port = http,https
    maxretry = 5
    bantime  = 360000
    my action (is route but also with multi tables was already banned:

    Code:
    # Fail2Ban configuration file
    
    [Definition]
    actionban = ip route add unreachable <ip>
    actionunban = ip route del unreachable <ip>
    debian wheezy
    php 5.3

    any help, ideas, suggest ?
    ispconfig filter works as a charm
    ah I forgot I setup in wordpress the plugin wp-fail2ban.2.3.2

    this is the log auth.log
    Code:
    Jan  5 15:08:16 servermio wordpress(www.ttt.it)[5355]: Authentication failure for dd from 31.7.187.xxx
    Jan  5 15:08:21 servermio wordpress(www.ttt.it)[5357]: Authentication failure for dd from 31.7.187.xxx
    Jan  5 15:08:24 servermio wordpress(www.ttt.it)[5357]: Authentication failure for dd from 31.7.187.xxx
     
  2. Jesse Norell

    Jesse Norell Active Member

    fail2ban recognizes that the ip address is already banned, that would suggest that the filter is fine/working, and the problem is in your banaction - ie. it is not actually blocking the ip address.
    1. Have you restarted fail2ban?
    2. Do you have any other filters using the 'route' banaction that do work?
    3. Does 'ip route list | grep unreachable' list that ip (or any others)?
    4. Find some ip address you can ping, run the 'ip route add unreachable addr' command for that ip address, and are you now unable to ping it?
    I remember scratching my head over a banned ip address getting unbanned before the bantime was up once and it turned out to be 2 fail2ban jails interacting, with the same unbanaction. IIRC, the host triggered more than one jail in a short time, and one jail had a much shorter bantime than another one, so it got unbanned (from the first jail's short bantime), then the second jail kept complaining that it was already banned. That should show up by searching for the ip address in question in fail2ban's log though; did you search for that (ip address) or just for 'wordpress' (jail name)?
     
  3. bubaweb

    bubaweb New Member

    Thx Jesse for your reply and time. I just take a look of the fail2ban.log to undesrstand if it appends always or only some times.
    I see that the already banned was when I unban the ip manually (it was a ip I was using to test the plugin)
    After this, I see that there are no other already banned ip. In my opinion this could be, maybe, the manual unban that is not working in right way.
    The nes question is now (after 48 hrs of test) and 2 different server (non only on ispconfig panel) : why if this is my filter:
    Code:
    [wordpress]
    enabled = true
    filter = wordpress
    banaction = route
    logpath = /var/log/auth.log
    port = http,https
    maxretry = 5
    bantime  = 3600
    some times I have ban only after 200 attempts and some other after 5 (the right retry) ?
    here right now from fail2ban log
    Code:
    2016-01-06 22:40:31,374 fail2ban.actions: WARNING [wordpress] Ban 159.253.7.222
    2016-01-06 22:41:46,027 fail2ban.actions: WARNING [wordpress] Ban 77.74.54.129
    here from 2 alert mail:
    Code:
    The IP 159.253.7.222 has just been banned by Fail2Ban after
    200 attempts against wordpress.
    The IP 77.74.54.129 has just been banned by Fail2Ban after
    200 attempts against wordpress.
    
    this is auth.log, 200 times :O same times and second for all 200
    Code:
    Jan  6 22:41:44 mioserver wordpress(www.mioserver .it)[31961]: Authentication failure for admin from 77.74.54.129
    Jan  6 22:41:44 mioserver wordpress(www.mioserver .it)[31961]: Authentication failure for admin from 77.74.54.129
    Jan  6 22:41:44 mioserver wordpress(www.mioserver .it)[31961]: Authentication failure for admin from 77.74.54.129
    maybe regex in wordpress.conf ? see previus or next

    Code:
    failregex = ^%(__prefix_line)sAuthentication failure for .* from <HOST>$
                ^%(__prefix_line)sBlocked authentication attempt for .* from <HOST>$
                ^%(__prefix_line)sBlocked user enumeration attempt from <HOST>$
                ^%(__prefix_line)sPingback requested from <HOST>$
    
     
  4. Jesse Norell

    Jesse Norell Active Member

    What is the timestamp for a set of 200 attempts? If the requests come in fast, it's common to have more than one before fail2ban catches and blocks it, especially depending on how fail2ban monitors for changes to the log file. 200 sounds pretty high for a normal scenario, but probably not unrealistic (especially if something allowed multiple login attempts per request, like https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-wordpress-xmlrpc.html).
     
  5. bubaweb

    bubaweb New Member

    thx again..I will check...about timestamp where i can find it ? :O

    find filter...test and is ok

    fail2ban-regex /var/www/miosito.it/log/access.log /etc/fail2ban/filter.d/apache-xmlrpc.conf
    Code:
    Results
    =======
    
    Failregex
    |- Regular expressions:
    |  [1] ^<HOST> .*POST .*xmlrpc\.php.*
    |
    `- Number of matches:
       [1] 7 match(es)
    
    Ignoreregex
    |- Regular expressions:
    |
    `- Number of matches:
    
    Summary
    =======
    
    Addresses found:
    [1]
        176.119.33.160 (Wed Jan 06 04:05:26 2016)
        183.111.174.72 (Wed Jan 06 09:25:58 2016)
        185.26.122.13 (Wed Jan 06 12:11:31 2016)
        89.161.207.30 (Wed Jan 06 14:22:31 2016)
        198.187.29.14 (Wed Jan 06 14:52:35 2016)
        85.128.142.14 (Wed Jan 06 19:12:39 2016)
        77.74.54.129 (Wed Jan 06 22:41:43 2016)
    BUT, there is a but...how call all vhost in fail2ban path ?
    /var/www/*/log/access.log ??
    but fail2ban give me error when try to open a access.log in another vhost
    Code:
    2016-01-06 23:55:18,727 fail2ban.comm   : WARNING Invalid command: ['set', 'apache-xmlrpc', 'addlogpath', '/var/www/miosito2.it/log/access.log']
     
    Last edited: Jan 7, 2016
  6. Jesse Norell

    Jesse Norell Active Member

    Just the logs, eg. the auth.log snippet you just posted shows 'Jan 6 22:41:44' for all three entries - what's the time range for the first and last of a set of 200 ?
     
  7. bubaweb

    bubaweb New Member

    same time, hh mm ss :(
     
  8. Jesse Norell

    Jesse Norell Active Member

    if they're all the same, that just means you had a *lot* of requests in that 1 second period (if exactly 200 every time, you probably have something else like a firewall/security plugin that is cutting those off at exactly 200) - nothing to worry about, fail2ban will just block on the first one and then complain 199 times that it's already banned. :)
     
  9. bubaweb

    bubaweb New Member

    ok, I hope also because there are some (very low) brute force stopped at 5, but many are stopped at 199/200 attempts:
    For who is interessed in apache-xmlrpc to add in jail.local this is the working of mine for ispconfig:
    Code:
    [apache-xmlrpc]
    enabled = true
    port = http,https
    filter = apache-xmlrpc
    logpath = /var/www/*/log/access.log
    maxretry = 5
    bantime = 3600
     

Share This Page