• Hi, Pleskians! We are running a UX testing of our upcoming product intended for server management and monitoring.
    We would like to invite you to have a call with us and have some fun checking our prototype. The agenda is pretty simple - we bring new design and some scenarios that you need to walk through and succeed. We will be watching and taking insights for further development of the design.
    If you would like to participate, please use this link to book a meeting. We will sent the link to the clickable prototype at the meeting.
  • (Plesk for Windows):
    MySQL Connector/ODBC 3.51, 5.1, and 5.3 are no longer shipped with Plesk because they have reached end of life. MariaDB Connector/ODBC 64-bit 3.2.4 is now used instead.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Issue Default plesk-wordpress fail2ban doesn't work

John41

New Pleskian
Server operating system version
Debian 11
Plesk version and microupdate number
v18.0.59
Hello,

I think I have a setting problem with Fail2ban wordpress filter because I unfortunately have attacks of this type, and Fail2ban does not ban any IP.

The default setting is:
[Definition]
failregex = ^<HOST>.* "POST .*/wp-login.php([/\?#\\].*)? HTTP/.*" 200
ignoreregex =

And here's an example of the attack attempts I'd like to block:
GET //wp-includes/wlwmanifest.xml HTTP/1.0
GET //xmlrpc.php?rsd HTTP/1.0
GET //blog/wp-includes/wlwmanifest.xml HTTP/1.0
GET //web/wp-includes/wlwmanifest.xml HTTP/1.0
GET //wordpress/wp-includes/wlwmanifest.xml HTTP/1.0
GET //website/wp-includes/wlwmanifest.xml HTTP/1.0
GET //wp/wp-includes/wlwmanifest.xml HTTP/1.0
GET //news/wp-includes/wlwmanifest.xml HTTP/1.0
GET //2018/wp-includes/wlwmanifest.xml HTTP/1.0
GET //2019/wp-includes/wlwmanifest.xml HTTP/1.0
GET //shop/wp-includes/wlwmanifest.xml HTTP/1.0
GET //wp1/wp-includes/wlwmanifest.xml HTTP/1.0
GET //test/wp-includes/wlwmanifest.xml HTTP/1.0
GET //media/wp-includes/wlwmanifest.xml HTTP/1.0
GET //wp2/wp-includes/wlwmanifest.xml HTTP/1.0
GET //site/wp-includes/wlwmanifest.xml HTTP/1.0
GET //shop/wp-includes/wlwmanifest.xml HTTP/1.0
GET //cms/wp-includes/wlwmanifest.xml HTTP/1.0
GET //sito/wp-includes/wlwmanifest.xml HTTP/1.0
GET //wp-head.php HTTP/1.0
POST /wp-plain.php HTTP/1.0

Could you tell me what settings to add to this jail so that this type of attack is detected and banned?

Thank you very much!
 
You're only showing part of the log string. Normally you'll at least also need to know the response code of the web server. For example if it is 404 you could formulate a rule like

^<HOST> .*"(GET) /.*wp-includes/wlwmanifest.xml.*" 404.*
 
You're only showing part of the log string. Normally you'll at least also need to know the response code of the web server. For example if it is 404 you could formulate a rule like

^<HOST> .*"(GET) /.*wp-includes/wlwmanifest.xml.*" 404.*
These are 403 errors.

Can I add:
failregex = ^<HOST> .*"(GET) /.*wp-includes/wlwmanifest.xml.*" 403.*
to Fail2ban to block these attacks?

Do I have to set a "failregex=" setting for each rule?
 
Not using wordpress, I would like to block all attempts containing "wp-".
If I add the following code, will they be blocked?
failregex = ^<HOST> .*"(GET) /.*wp-*.*" (200|403|404)
 
Yes, you can modify the rule accordingly. But be aware that any other file with "wp-" in its name will also trigger it.

You do not (and should not) add a new "failregex" per line. Just start the first line with it, but then add more filter lines underneath omitting an extra "failregex=".

Please also check out this elaborate blog article. It shows some examples:
 
Thank you very much for your quick reply.

Do you know how to do a single "failregex" request that would include the line:
failregex = ^<HOST> .*"(GET) /.*wp-*.*" (200|403|404)

and also block 403 or 404 errors to the "xmlrpc.php" file?

I haven't found an example with two settings in the same failregex.
 
Back
Top