• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion
  • Please beaware of a breaking change in the REST API on the next Plesk release (18.0.62).
    Starting from Plesk Obsidian 18.0.62, requests to REST API containing the Content-Type header with a media-type directive other than “application/json” will result in the HTTP “415 Unsupported Media Type” client error response code. Read more here

Resolved fail2ban and Magento

CoyoteKG

Regular Pleskian
Hi,
I searched if someone write about this here on the forum, but I did not found.

I found magento guide how to set it, and I did it.
I mistaken password 5 times, but did not banned.

This is jail
Code:
[magento]
enabled = true
filter = magento
action = iptables-allports[chain="INPUT", name="default", port="ssh", protocol="tcp", blocktype="REJECT --reject-with icmp-port-unreachable"]
sendmail[dest="[email protected]", sender="fail2ban", sendername="Fail2Ban", name="default"]
logpath = /var/www/vhosts/*/logs/access_*log
maxretry = 2

and this is filter
Code:
[Definition]
# Use this for "soft" bad behaviour, as the source will only be banned after multiple retries.
failregex = ^<HOST> .+"POST \S+(/downloader/|/downloader/index.php\?A=loggedin|/admin/index/|/admin/)\s
ignoreregex =

I also tried with
Code:
[Definition]
# Use this for "soft" bad behaviour, as the source will only be banned after multiple retries.
failregex = ^<HOST> .+"POST \S+wp-login.php
            ^<HOST> .+"(POST|GET) \S+/etc/passwd
            ^<HOST> .+"POST \S+(/downloader/|/downloader/index.php\?A=loggedin|/admin/index/|/admin/)\s
ignoreregex =

and I append something similar with WP jail, just like this because I found it in the access logs
Code:
^<HOST> .* "POST .*/admin HTTP/.*" 200
but again without success.

in the fail2ban logs, I see that fail2ban added those logs that I need, and I saw that fail2ban was restarted, but I was not banned.
 
Hi,
again I'm speaking with myself :).

I fixed it, but for now I don't know how.
I just edited two things.

I added 2 more log file paths so jail is now
Code:
[magento]
enabled = true
filter = magento
action = iptables-allports[chain="INPUT", name="default", port="ssh", protocol="tcp", blocktype="REJECT --reject-with icmp-port-unreachable"]
sendmail[dest="[email protected]", sender="fail2ban", sendername="Fail2Ban", name="default"]
logpath = /var/www/vhosts/*/logs/access_*log
/var/www/vhosts/system/*/logs/*access*log
/var/log/apache2/*access.log
maxretry = 3

And I edited filter.
Now is
Code:
[Definition]
failregex = ^<HOST> .+"POST \S+wp-login.php
    ^<HOST> .+"(POST|GET) \S+/etc/passwd
    ^<HOST> .+"POST \S+(/downloader/|/downloader/index.php\?A=loggedin|/admin/index/|/admin/)\s
    ^<HOST>.* "POST .*/admin HTTP/.*" 200
ignoreregex =

I edited that third filter, deleted space between HOST and ".". I don't know if it is works now because that, because I could not test.
Because every fail2ban changes, I was impatient to wait 20 minutes, and tried to test login. And i was able to miss 10 times password without ban.
And after 20 minutes, when fail2ban was read the logs, it banned that IP.
Maybe because one our sites have from this morning until now, more then 250000 records. It need time to read it...

So, now it works. Later if I find time, I'll try to delete paths, and edit filter, just to see if it still works.
 
Back
Top