• Inviting everyone who uses WordPress management tools in Plesk
    The Plesk team is conducting a 60-minute research session that includes an interview and a moderated usability test.
    To participate, please use this link .
    Your experience will help shape product decisions and ensure the tools better support real-world use cases.

Fail2Ban don't lock an IP

S

Stefan Becker

Basic Pleskian
Hi,

we have a brute force attack:

Code: 
188.132.180.106 - - [14/Jul/2014:22:03:37 +0200] "POST /administrator/index.php HTTP/1.0" 303 262 "-" "-"
188.132.180.106 - - [14/Jul/2014:22:03:38 +0200] "GET /administrator/index.php HTTP/1.0" 200 7244 "-" "-"
188.132.180.106 - - [14/Jul/2014:22:03:38 +0200] "GET /administrator/index.php HTTP/1.0" 200 7117 "-" "-"
188.132.180.106 - - [14/Jul/2014:22:03:39 +0200] "POST /administrator/index.php HTTP/1.0" 303 262 "-" "-"
188.132.180.106 - - [14/Jul/2014:22:03:40 +0200] "GET /administrator/index.php HTTP/1.0" 200 7244 "-" "-"
188.132.180.106 - - [14/Jul/2014:22:03:40 +0200] "GET /administrator/index.php HTTP/1.0" 200 7117 "-" "-"
188.132.180.106 - - [14/Jul/2014:22:03:41 +0200] "POST /administrator/index.php HTTP/1.0" 303 262 "-" "-"
188.132.180.106 - - [14/Jul/2014:22:03:41 +0200] "GET /administrator/index.php HTTP/1.0" 200 7244 "-" "-"
188.132.180.106 - - [14/Jul/2014:22:03:42 +0200] "GET /administrator/index.php HTTP/1.0" 200 7117 "-" "-"
188.132.180.106 - - [14/Jul/2014:22:03:43 +0200] "POST /administrator/index.php HTTP/1.0" 303 262 "-" "-"
188.132.180.106 - - [14/Jul/2014:22:03:44 +0200] "GET /administrator/index.php HTTP/1.0" 200 7244 "-" "-"
188.132.180.106 - - [14/Jul/2014:22:03:44 +0200] "GET /administrator/index.php HTTP/1.0" 200 7117 "-" "-"
188.132.180.106 - - [14/Jul/2014:22:03:46 +0200] "POST /administrator/index.php HTTP/1.0" 303 262 "-" "-"
188.132.180.106 - - [14/Jul/2014:22:03:46 +0200] "GET /administrator/index.php HTTP/1.0" 200 7244 "-" "-"
188.132.180.106 - - [14/Jul/2014:22:03:47 +0200] "GET /administrator/index.php HTTP/1.0" 200 7117 "-" "-"
188.132.180.106 - - [14/Jul/2014:22:03:48 +0200] "POST /administrator/index.php HTTP/1.0" 303 262 "-" "-"
188.132.180.106 - - [14/Jul/2014:22:03:48 +0200] "GET /administrator/index.php HTTP/1.0" 200 7244 "-" "-"
188.132.180.106 - - [14/Jul/2014:22:03:49 +0200] "GET /administrator/index.php HTTP/1.0" 200 7117 "-" "-"
188.132.180.106 - - [14/Jul/2014:22:03:50 +0200] "POST /administrator/index.php HTTP/1.0" 303 262 "-" "-"

And so on, but the Fail2Ban doesn't lock this ip address, why? And how can we manually lock about the webinterface this ip?

Best regards,

Stefan
 
Unless you have failed basic authentication attempts logged, Fail2Ban will do nothing (since it's authentication failure monitor). Alternatively, if you have a custom login solution, then you need to 1) make sure it logs authentication failures somewhere, 2) create a filter and jail in Fail2Ban to match these failures, 3) test and activate them. Please note that improperly implemented filter or logging may result in DoS possibility for the service you're trying to protect (read Fail2Ban README for details).
 
You must log in or register to reply here.

Similar threads

S
Issue Filter for plesk-wordpress jail does not work, any ideas?
Replies
1
Views
2K
AYamshanov
AYamshanov
M
Question fail2ban, can I ban visitors with no user agent?
Replies
1
Views
2K
Kaspar@Plesk
Kaspar@Plesk
TimReeves
Fail2Ban Jail needed for /var/log/sw-cp-server/error_log
Replies
5
Views
9K
roon
R
L
Issue Server backup fails after moving domain to subscription
Replies
6
Views
3K
Kaspar@Plesk
Kaspar@Plesk
J
Issue Default plesk-apache-badbot fail2ban doesn't work
2
Replies
23
Views
13K
Chad Reitsma
Chad Reitsma
Back
Top