Koozali.org: home of the SME Server
  1. Koozali.org: home of the SME Server
  2. Contribs.org Forums
  3. General Discussion
  4. Topic: New fail2ban filter needed for Wordpress
« previous next »
Pages: [1]   Go Down

New fail2ban filter needed for Wordpress

  • 2 Replies
  • 2012 Views

Offline holck

  • ****
  • 317
  • +1/-0
New fail2ban filter needed for Wordpress
« on: June 02, 2018, 11:24:24 AM »
I run a website with Wordpress (wordpress-4.9.5-1.el6.noarch)  and fail2ban (fail2ban-0.9.6-1.el6.1.noarch). I also downloaded and installed the fail2ban plugin from Wordpress (https://wordpress.org/plugins/wp-fail2ban/).

Yesterday, I experienced this attack:
Code: [Select]
Jun  1 15:19:14 myserver wordpress(mysite.dk)[18091]: XML-RPC authentication failure for myuser from 119.29.82.97
The attack lasted for half an hour, with a total of 882 attempts. It should have been caught by the wordpress-soft.conf filter in /etc/fail2ban/filter.d/, but obviously wasn't.

The filter's regex was:
Code: [Select]
failregex = ^%(__prefix_line)sAuthentication failure for .* from <HOST>$
            ^%(__prefix_line)sXML-RPC authentication failure from <HOST>$

I now have added an extra line:
Code: [Select]
failregex = ^%(__prefix_line)sAuthentication failure for .* from <HOST>$
            ^%(__prefix_line)sXML-RPC authentication failure for .* from <HOST>$
            ^%(__prefix_line)sXML-RPC authentication failure from <HOST>$

I guess this is not a bug in SME-server, but just want to provide the info.

Logged
......

Offline ReetP

  • *
  • 3,731
  • +5/-0
Re: New fail2ban filter needed for Wordpress
« Reply #1 on: June 02, 2018, 01:14:03 PM »
Indeed... sounds like a bug in their plugin. Clearly F2B will ban if the rule is correct.

Suggest you report it to the plugin writer.

Guess you could open a bug on the tracker as a reference.
Logged
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Jean-Philippe Pialasse

  • *
  • 2,761
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: New fail2ban filter needed for Wordpress
« Reply #2 on: June 04, 2018, 08:44:49 PM »
I have this for a few years + plus fail2ban plugin installed in wordpress.

Code: [Select]
failregex = ^%(__prefix_line)sAuthentication failure for .* from <HOST>$
            ^%(__prefix_line)sAuthentication attempt for unknown user .* from <HOST>$
            ^%(__prefix_line)sBlocked user enumeration attempt from <HOST>$
            ^%(__prefix_line)sBlocked authentication attempt for .* from <HOST>$
            ^%(__prefix_line)sPingback error .* generated from <HOST>$
            ^%(__prefix_line)sSpam comment \d+ from <HOST>$
            ^%(__prefix_line)sXML-RPC authentication attempt for unknown user .* from <HOST>$
            ^%(__prefix_line)sXML-RPC multicall authentication failure from <HOST>$

Logged
Pages: [1]   Go Up
« previous next »
  1. Koozali.org: home of the SME Server
  2. Contribs.org Forums
  3. General Discussion
  4. Topic: New fail2ban filter needed for Wordpress