• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved custom Fail2ban Login Wordpress not working

D

daanse

Regular Pleskian
Hi,
my goal is to minimize Logins to all WPs (and in Future Joomla).

i have setup following Jail:

In /etc/fail2ban/jail.conf:
Code: 
[wp-login]
enabled = true
filter = wp-login
action = iptables-multiport[name=wp-login, port="http,https", protocol=tcp]
logpath = /var/www/vhosts/system/*/logs/access*_log
maxretry = 8
findtime = 30
bantime = 86400

In /etc/fail2ban/filter.d/wp-login.conf
Code: 
[Definition]
failregex = ^<HOST> .* "POST .*wp-login.php HTTP/.*" 200
ignoreregex =

I have restarted f2b and tried to login (15-30 Times) and nothing happens.

Bildschirmfoto 2017-03-11 um 10.21.22.jpg

Any suggestions?
 
That fail2ban regex is protecting the Wordpress login page where the bad guys are targeting the wordpress xmlrpc interface (API). I'll give you our wordpress login failure trigger from our Juggernaut Firewall product. Our protects both wp-login.php and xmlrpc.php and the regex should be the same to use with fail2ban:

Code: 
[Definition]
failregex = ^<HOST> .* "POST .*(wp-login.php|xmlrpc.php) HTTP/.*" (200|401)
ignoreregex =
 
Hi @danami,
thank you, very kind, but its still not working.
I tried around at about 10 different things again.
And now with your regex. I setup everything again (Jail, filter, checked f2b status etc.)
seems all fine, i can login over 10 times with fails...
 
Yes I am,
i really tried whole Day several Tutorials.
The only thing i just changed, compared to plesk standard filters, was some brackets
Code: 
action = iptables-multiport[name="wp-login", port="http,https", protocol="tcp"]

="" ="" <--- This i added and now it works.
There are so many tutorials wich shows without brackets but... yeah.... now I am banned. :)

THANK YOU !
 
No I don't but I could create one for you if you can provide me with the acess_logs from some sample attacks you are seeing.
 
Maybe the following path could be used:

/var/www/vhosts/domain.com/joomla.domain.com/administrator/logs <---
there i found more specific messages:
error.php
Code: 
2017-03-11T15:13:52+00:00    INFO 37.24.145.241    joomlafailure    Benutzername und Passwort falsch oder das Benutzerkonto existiert noch nicht!
2017-03-11T15:13:54+00:00    INFO 37.24.145.241    joomlafailure    Benutzername und Passwort falsch oder das Benutzerkonto existiert noch nicht!
2017-03-11T15:13:59+00:00    INFO 37.24.145.241    joomlafailure    Benutzername und Passwort falsch oder das Benutzerkonto existiert noch nicht!
2017-03-11T15:14:01+00:00    INFO 37.24.145.241    joomlafailure    Benutzername und Passwort falsch oder das Benutzerkonto existiert noch nicht!
2017-03-11T15:14:03+00:00    INFO 37.24.145.241    joomlafailure    Benutzername und Passwort falsch oder das Benutzerkonto existiert noch nicht!
 
For the first example:

Code: 
[Definition]
failregex = ^<HOST> .* "POST (\/administrator\/index\.php|\/index\.php\/component\/users\/\?task=user\.login)"
ignoreregex =

Note that it would also count good logins so set the threshold high. I'm not sure if joomla logs a failed login with a different status code as you didn't provide the access_log. There are many other posts if you just google this with better solutions (that involve installing plugins).

(edited to correct regex).
 
@danami thank you!
I didn't found a access Logs which caught my false login attempts.
Did you see my last post? Would this help to make regex smarter?
 
Here so go. Make sure that you tell fail2ban to use that log. Completely untested though.

Code: 
[Definition]
failregex = \S+\s+INFO <HOST>\s+joomlafailure\s+Benutzername und Passwort falsch oder das Benutzerkonto existiert noch nicht!
ignoreregex =
 
for this type of tests, best option is to install opera browser and use it's vpn feature, so it will ban vpn ip, not yours ;)
 
danami said:
For the first example:
Code: 
[Definition]
failregex = ^<HOST> .* "POST (\/administrator\/index\.php|\/index\.php\/component\/users\/\?task=user\.login)"
ignoreregex =
(edited to correct regex).
Click to expand...

Hi, can you kindly adjust this regex as the other is not working.
Think its better to take statuscodes within.

i insert 2 screenshots where you can see statuscode. (303)
 

Attachments

  • Bildschirmfoto 2017-03-12 um 22.42.59.jpg
    Bildschirmfoto 2017-03-12 um 22.42.59.jpg
    298.7 KB · Views: 13
  • Bildschirmfoto 2017-03-12 um 22.43.32.jpg
    Bildschirmfoto 2017-03-12 um 22.43.32.jpg
    280.6 KB · Views: 10
Code: 
[Definition]
failregex = ^<HOST> .* "POST (\/administrator\/index\.php|\/index\.php\/component\/users\/\?task=user\.login)" 303
ignoreregex =
 
Hi,
thanks. This is not working.
Im sure i have right Logs.

Tested and this is log:
Code: 
Backend:

109.236.81.133 - - [13/Mar/2017:14:30:18 +0100] "POST /administrator/index.php HTTP/1.1" 303 272 "http://some.domain.com/administrator/index.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 OPR/42.0.2393.94"
109.236.81.133 - - [13/Mar/2017:14:30:18 +0100] "GET /administrator/index.php HTTP/1.1" 200 4291 "http://some.domain.com/administrator/index.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 OPR/42.0.2393.94"

Frontend:
109.236.81.133 - - [13/Mar/2017:14:24:57 +0100] "POST /index.php/component/users/?task=user.login HTTP/1.1" 303 257 "http://some.domain.com/index.php/component/users/?view=login" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 OPR/42.0.2393.94"
109.236.81.133 - - [13/Mar/2017:14:24:58 +0100] "GET /index.php/component/users/?view=login HTTP/1.1" 200 3652 "http://some.domain.com/index.php/component/users/?view=login" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 OPR/42.0.2393.94"

JAIL:
Code: 
[joomla-login-jail]
enabled = true
filter = joomla-login-filter
action = iptables-multiport[name="joomla-login", port="http,https", protocol="tcp"]
logpath = /var/www/vhosts/system/*/logs/*access*log
/var/log/apache2/*access.log
maxretry = 6

FILTER:
Code: 
[Definition]
failregex = ^<HOST> .* "POST (\/administrator\/index\.php|\/index\.php\/component\/users\/\?task=user\.login)" 303
ignoreregex =
 
@danami thanks for help !!!!
I understand now, why you ask for logs. Sorry i didn't provide earlier.
If have got this worked and testet positive. Frontend and Backend works with Following regex:
Code: 
[Definition]
failregex = ^<HOST> .* "POST .*(\/administrator\/index\.php|\/index\.php\/component\/users\/\?task=user\.login) HTTP/.*" 303
ignoreregex =

Same Struktur as you already provided for Wordpress.
Awesome.
 
You must log in or register to reply here.

Similar threads

S
Issue Filter for plesk-wordpress jail does not work, any ideas?
Replies
1
Views
327
AYamshanov
AYamshanov
J
Issue Default plesk-wordpress fail2ban doesn't work
Replies
6
Views
817
Peter Debik
P
J
Resolved Default plesk-wordpress fail2ban doesn't work
Replies
4
Views
2K
Mark_NLD
M
T
Question Plesk Fail2Ban Rule for Joomla
Replies
2
Views
2K
t.van.der.plas
T
P
Resolved fail2ban postfix-sasl not working correctly
Replies
7
Views
11K
Alaa Mansour
Alaa Mansour
Back
Top