fail2ban not working

Discussion in 'Installation/Configuration' started by Julian, Jan 12, 2017.

  1. Julian

    Julian Member

    Hello,

    I'm trying to make fail2ban for wordpress but is not banning
    Here is my config:
    /etc/fail2ban/jail.local
    [wordpress]
    enabled = true
    filter = wordpress
    action = iptables-multiport[name=wordpress, port="http,https"]
    logpath = /var/log/ispconfig/httpd/*/access.log
    maxretry = 3
    bantime = 1800

    /etc/fail2ban/filter.d/wordpress.conf
    # Fail2Ban filter for WordPress
    #
    #

    [Definition]
    failregex = ^<HOST> .* "POST /wp-login.php
    ignoreregex =

    I'm missing anything?
    Please help me,

    Thank you
     
  2. Jesse Norell

    Jesse Norell Well-Known Member

    I've not used iptables-multiport anywhere else other than what ispconfig has by following the Perfect Server guide, but the line there includes a protocol, so you could try:
    Code:
    action = iptables-multiport[name=wordpress, port="http,https", protocol=tcp]
    Other than that, perhaps your regex isn't matching. You can test that with fail2ban-regex, though you have to specify a specific log file (not wild .../*/access.log), so look up a name:
    Code:
    fail2ban-regex /var/log/ispconfig/httpd/domain.com/access.log /etc/fail2ban/filter.d/wordpress.conf
    If your regex doesn't match you could try this one, though I've had cases where leaving a wordpress site open in my browser timed out my session, and the login prompt kept reloading frequently, and I ended up blocking myself with this (doesn't happen frequently, but more than once -- perhaps remove the GET and it'd help?):
    Code:
    # cat /etc/fail2ban/filter.d/wp-login.local
    # Fail2ban config file matching wp-login.php access
    #
    # Author: Jesse Norell
    #
    
    [Definition]
    
    # This matches failed and successful attempts,
    # so set maxretries high enough to allow a few legitimate failed logins
    
    failregex = ^[^ ]* <HOST> .*"(GET|POST) //?wp-login.php
    ignoreregex =
    
    And I should probably mention, I haven't used that particular fail2ban filter on an ispconfig server, but on an older control panel (dtc), so haven't verified the log format/regex matches.
     

Share This Page