Issue Default plesk-wordpress fail2ban doesn't work

[John41]

Server operating system version

Debian 11

Plesk version and microupdate number

v18.0.59

Hello,

I think I have a setting problem with Fail2ban wordpress filter because I unfortunately have attacks of this type, and Fail2ban does not ban any IP.

The default setting is:

[Definition]
failregex = ^<HOST>.* "POST .*/wp-login.php([/\?#\\].*)? HTTP/.*" 200
ignoreregex =

And here's an example of the attack attempts I'd like to block:

GET //wp-includes/wlwmanifest.xml HTTP/1.0
GET //xmlrpc.php?rsd HTTP/1.0
GET //blog/wp-includes/wlwmanifest.xml HTTP/1.0
GET //web/wp-includes/wlwmanifest.xml HTTP/1.0
GET //wordpress/wp-includes/wlwmanifest.xml HTTP/1.0
GET //website/wp-includes/wlwmanifest.xml HTTP/1.0
GET //wp/wp-includes/wlwmanifest.xml HTTP/1.0
GET //news/wp-includes/wlwmanifest.xml HTTP/1.0
GET //2018/wp-includes/wlwmanifest.xml HTTP/1.0
GET //2019/wp-includes/wlwmanifest.xml HTTP/1.0
GET //shop/wp-includes/wlwmanifest.xml HTTP/1.0
GET //wp1/wp-includes/wlwmanifest.xml HTTP/1.0
GET //test/wp-includes/wlwmanifest.xml HTTP/1.0
GET //media/wp-includes/wlwmanifest.xml HTTP/1.0
GET //wp2/wp-includes/wlwmanifest.xml HTTP/1.0
GET //site/wp-includes/wlwmanifest.xml HTTP/1.0
GET //shop/wp-includes/wlwmanifest.xml HTTP/1.0
GET //cms/wp-includes/wlwmanifest.xml HTTP/1.0
GET //sito/wp-includes/wlwmanifest.xml HTTP/1.0
GET //wp-head.php HTTP/1.0
POST /wp-plain.php HTTP/1.0

Could you tell me what settings to add to this jail so that this type of attack is detected and banned?

Thank you very much!

 

[Peter Debik]

You're only showing part of the log string. Normally you'll at least also need to know the response code of the web server. For example if it is 404 you could formulate a rule like

^<HOST> .*"(GET) /.*wp-includes/wlwmanifest.xml.*" 404.*

 

[John41]

You're only showing part of the log string. Normally you'll at least also need to know the response code of the web server. For example if it is 404 you could formulate a rule like

^<HOST> .*"(GET) /.*wp-includes/wlwmanifest.xml.*" 404.*

These are 403 errors.

Can I add:

failregex = ^<HOST> .*"(GET) /.*wp-includes/wlwmanifest.xml.*" 403.*

to Fail2ban to block these attacks?

Do I have to set a "failregex=" setting for each rule?

 

[John41]

Not using wordpress, I would like to block all attempts containing "wp-".
If I add the following code, will they be blocked?

failregex = ^<HOST> .*"(GET) /.*wp-*.*" (200|403|404)

 

[Peter Debik]

Yes, you can modify the rule accordingly. But be aware that any other file with "wp-" in its name will also trigger it.

You do not (and should not) add a new "failregex" per line. Just start the first line with it, but then add more filter lines underneath omitting an extra "failregex=".

Please also check out this elaborate blog article. It shows some examples:

How to Avoid High CPU Load & Block Bad Bots with Plesk

Learn how to effectively reduce CPU usage and keep bad bots and hackers away from your websites using Plesk Cgroups Manager and Fail2Ban.

www.plesk.com

 

[John41]

Thank you very much for your quick reply.

Do you know how to do a single "failregex" request that would include the line:

failregex = ^<HOST> .*"(GET) /.*wp-*.*" (200|403|404)

and also block 403 or 404 errors to the "xmlrpc.php" file?

I haven't found an example with two settings in the same failregex.

 

[Peter Debik]

You can find an example in the above mentioned blog article.