OSM JILI register,July month Calendar.Recharge Every day and Get Bonus up-to 50%!

(@virtualced)

Hello,

I’ve got some difficulties to install the plugin (for the fail2ban part, not for the plugin itself), so I’m looking for your help.

in my /etc/fail2ban/filters.d I’ve put the wordpress.conf
in my /etc/fail2ban/jail.conf I’ve added

[wordpress]

enabled = true
filter = wordpress
logpath = /var/log/auth.log
port    = http
maxretry = 6

When launching a fail2ban-regex on auth.log with wordpress.conf as filter I have

Running tests
=============

Use regex file : filter.d/wordpress.conf
Use log file   : /var/log/auth.log

Results
=======

Failregex
|- Regular expressions:
|  [1] ^\s*(?:\S+ )?(?:kernel: \[\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?wordpress(?:\(\S+\))?[\]\)]?:?|[\[\(]?wordpress(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:)?\s*Authentication failure for .* from <HOST>$
|

– Number of matches:
[1] 22 match(es)

Ignoreregex
|- Regular expressions:
|

- Number of matches:

Summary
=======

Addresses found:
[1]
    194.154.219.97 (Thu Feb 07 08:42:35 2013)
    195.46.235.88 (Thu Feb 07 08:57:13 2013)
    195.46.235.88 (Thu Feb 07 08:57:43 2013)
    176.123.0.104 (Thu Feb 07 08:58:27 2013)
    176.123.0.105 (Thu Feb 07 08:58:27 2013)
    176.123.0.99 (Thu Feb 07 08:58:28 2013)
    176.123.0.103 (Thu Feb 07 09:05:51 2013)
    176.123.0.103 (Thu Feb 07 09:13:15 2013)
    176.123.0.110 (Thu Feb 07 09:16:28 2013)
    176.123.0.110 (Thu Feb 07 09:23:01 2013)
    188.143.232.45 (Thu Feb 07 09:58:29 2013)
    188.143.232.45 (Thu Feb 07 09:58:30 2013)
    195.46.235.88 (Thu Feb 07 10:14:23 2013)
    195.46.235.88 (Thu Feb 07 10:16:07 2013)
    173.254.28.21 (Thu Feb 07 14:02:33 2013)
    203.206.167.242 (Thu Feb 07 15:47:37 2013)
    217.58.114.252 (Thu Feb 07 15:48:48 2013)
    205.178.145.64 (Thu Feb 07 21:29:00 2013)
    75.126.152.226 (Thu Feb 07 21:45:47 2013)
    78.137.164.71 (Thu Feb 07 21:53:55 2013)
    213.251.189.205 (Thu Feb 07 23:22:03 2013)
    188.143.232.224 (Fri Feb 08 01:39:53 2013)

Date template hits:
3711 hit(s): MONTH Day Hour:Minute:Second
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second Year
0 hit(s): WEEKDAY MONTH Day Hour:Minute:Second
0 hit(s): Year/Month/Day Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/Month/Year Hour:Minute:Second
0 hit(s): Day/MONTH/Year:Hour:Minute:Second
0 hit(s): Month/Day/Year:Hour:Minute:Second
0 hit(s): Year-Month-Day Hour:Minute:Second
0 hit(s): Year.Month.Day Hour:Minute:Second
0 hit(s): Day-MONTH-Year Hour:Minute:Second[.Millisecond]
0 hit(s): Day-Month-Year Hour:Minute:Second
0 hit(s): TAI64N
0 hit(s): Epoch
0 hit(s): ISO 8601
0 hit(s): Hour:Minute:Second
0 hit(s): <Month/Day/Year@Hour:Minute:Second>

Success, the total number of match is 22

However, look at the above section 'Running tests' which could contain important
information.

In my fail2ban.log I have

2013-02-07 10:13:48,877 fail2ban.jail   : INFO   Creating new jail 'wordpress'
2013-02-07 10:13:48,877 fail2ban.jail   : INFO   Jail 'wordpress' uses Gamin
2013-02-07 10:13:48,877 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
2013-02-07 10:13:48,878 fail2ban.filter : INFO   Set maxRetry = 6
2013-02-07 10:13:48,878 fail2ban.filter : INFO   Set findtime = 600
2013-02-07 10:13:48,879 fail2ban.actions: INFO   Set banTime = 600
2013-02-07 10:13:48,884 fail2ban.jail   : INFO   Jail 'ssh' started
2013-02-07 10:13:48,885 fail2ban.jail   : INFO   Jail 'wordpress' started

I have some jailed action due to SSH attacks,but nothing due to wordpress.
I even try to trigger it my self entering 10 consecutive bad logins from my computer.

But the problem is, if I enter the same login with different password (like trying to bruteforce admin account) I don’t have the required lines in the auth.log

Feb  8 08:03:57 panel wordpress(vue-360.com)[23820]: Accepted password for Virtualced from 194.154.219.97
Feb  8 08:14:37 panel wordpress(wp-adm.in)[26112]: Authentication failure for admin from 195.46.235.88
Feb  8 08:15:04  wordpress(wp-adm.in)[26112]: last message repeated 7 times
Feb  8 08:15:04 panel wordpress(wp-adm.in)[26112]: Authentication failure for aaa from 195.46.235.88
Feb  8 08:15:08 panel wordpress(wp-adm.in)[26112]: Authentication failure for bbb from 195.46.235.88
Feb  8 08:15:13 panel wordpress(wp-adm.in)[26112]: Authentication failure for ccc from 195.46.235.88
Feb  8 08:15:17 panel wordpress(wp-adm.in)[26112]: Authentication failure for ddd from 195.46.235.88
Feb  8 08:15:20 panel wordpress(wp-adm.in)[26112]: Authentication failure for eee from 195.46.235.88

I have the log line `Feb 8 08:15:04 wordpress(wp-adm.in)[26112]: last message repeated 7 times’ instead of several lines to be counted by fail2ban.
The only way to lock an account is to change the password at each try.

As most of the hackers try several password on only one account, it’s difficult to manage…

https://www.ads-software.com/extend/plugins/wp-fail2ban/

Viewing 2 replies - 1 through 2 (of 2 total)

Plugin Author invisnet
(@invisnet)

12 years, 1 month ago

See: https://www.fail2ban.org/wiki/index.php/Fail2ban:Community_Portal#Count_.22Last_message_repeated_N_times.22_correctly

Gilligan
(@playgod)

11 years, 10 months ago

For many newer RedHat downstream distros, such as CentOS, Amazon, Scientific: the log to parse is /var/log/messages

ref: https://php.net/manual/en/function.syslog.php (see comments)

test:
fail2ban-regex /var/log/messages /etc/fail2ban/filter.d/wordpress.conf

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Nothing blocked, don't understand why.’ is closed to new replies.