• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Issue Default plesk-wordpress fail2ban doesn't work

John41

New Pleskian
Server operating system version
Debian 11
Plesk version and microupdate number
v18.0.59
Hello,

I think I have a setting problem with Fail2ban wordpress filter because I unfortunately have attacks of this type, and Fail2ban does not ban any IP.

The default setting is:
[Definition]
failregex = ^<HOST>.* "POST .*/wp-login.php([/\?#\\].*)? HTTP/.*" 200
ignoreregex =

And here's an example of the attack attempts I'd like to block:
GET //wp-includes/wlwmanifest.xml HTTP/1.0
GET //xmlrpc.php?rsd HTTP/1.0
GET //blog/wp-includes/wlwmanifest.xml HTTP/1.0
GET //web/wp-includes/wlwmanifest.xml HTTP/1.0
GET //wordpress/wp-includes/wlwmanifest.xml HTTP/1.0
GET //website/wp-includes/wlwmanifest.xml HTTP/1.0
GET //wp/wp-includes/wlwmanifest.xml HTTP/1.0
GET //news/wp-includes/wlwmanifest.xml HTTP/1.0
GET //2018/wp-includes/wlwmanifest.xml HTTP/1.0
GET //2019/wp-includes/wlwmanifest.xml HTTP/1.0
GET //shop/wp-includes/wlwmanifest.xml HTTP/1.0
GET //wp1/wp-includes/wlwmanifest.xml HTTP/1.0
GET //test/wp-includes/wlwmanifest.xml HTTP/1.0
GET //media/wp-includes/wlwmanifest.xml HTTP/1.0
GET //wp2/wp-includes/wlwmanifest.xml HTTP/1.0
GET //site/wp-includes/wlwmanifest.xml HTTP/1.0
GET //shop/wp-includes/wlwmanifest.xml HTTP/1.0
GET //cms/wp-includes/wlwmanifest.xml HTTP/1.0
GET //sito/wp-includes/wlwmanifest.xml HTTP/1.0
GET //wp-head.php HTTP/1.0
POST /wp-plain.php HTTP/1.0

Could you tell me what settings to add to this jail so that this type of attack is detected and banned?

Thank you very much!
 
You're only showing part of the log string. Normally you'll at least also need to know the response code of the web server. For example if it is 404 you could formulate a rule like

^<HOST> .*"(GET) /.*wp-includes/wlwmanifest.xml.*" 404.*
 
You're only showing part of the log string. Normally you'll at least also need to know the response code of the web server. For example if it is 404 you could formulate a rule like

^<HOST> .*"(GET) /.*wp-includes/wlwmanifest.xml.*" 404.*
These are 403 errors.

Can I add:
failregex = ^<HOST> .*"(GET) /.*wp-includes/wlwmanifest.xml.*" 403.*
to Fail2ban to block these attacks?

Do I have to set a "failregex=" setting for each rule?
 
Not using wordpress, I would like to block all attempts containing "wp-".
If I add the following code, will they be blocked?
failregex = ^<HOST> .*"(GET) /.*wp-*.*" (200|403|404)
 
Yes, you can modify the rule accordingly. But be aware that any other file with "wp-" in its name will also trigger it.

You do not (and should not) add a new "failregex" per line. Just start the first line with it, but then add more filter lines underneath omitting an extra "failregex=".

Please also check out this elaborate blog article. It shows some examples:
 
Thank you very much for your quick reply.

Do you know how to do a single "failregex" request that would include the line:
failregex = ^<HOST> .*"(GET) /.*wp-*.*" (200|403|404)

and also block 403 or 404 errors to the "xmlrpc.php" file?

I haven't found an example with two settings in the same failregex.
 
Back
Top