1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Question Fail2Ban log. Which Wordpress instance is under attack

Discussion in 'Plesk Suggestions and Feedback' started by CoyoteKG, Oct 19, 2017.

  1. CoyoteKG

    CoyoteKG Regular Pleskian

    16
    35%
    Joined:
    Sep 8, 2015
    Messages:
    202
    Likes Received:
    4
    Is it possible somehow to tweak Fail2Ban log, to contain also which Wordpress instance was tried to log in, and Fail2Ban blocked it? That can be usefull if on server is hosted more then one Wordpress site.

    For example, this morning, last 3 hours I have 208 tries to log in from different IP addresses, but I'm wondered what site is under attack.

    At this moment is like this
    fail2ban.JPG

    Now I will analyze access logs manually, but it would be much easier to have also site name included in this log.

    Or at least here
    upload_2017-10-19_11-30-31.png
    This report we receiving on mail, should contain access log path, or site name, and which jail banned this IP. It is much useful then "3 attempts against default".

    Did someone tried to set this, and how? :)
     
  2. gbotica

    gbotica Regular Pleskian

    19
    85%
    Joined:
    Mar 4, 2012
    Messages:
    104
    Likes Received:
    3
    Location:
    Auckland, New Zealand
    Hi,
    The jail that was triggered is included, in your case it is 'default' -- that's the jail name.

    I totally agree that log path or site domain would be helpful too.
     
  3. danami

    danami Regular Pleskian

    30
    18%
    Joined:
    Mar 29, 2008
    Messages:
    214
    Likes Received:
    38
    Location:
    Canada
    Unfortunately this isn't possible. fail2ban is scanning the sites access log and knows nothing about which host the log is under (host information isn't included in the log line)

    Update:

    Here is a one-liner so you can search for the IP address from the command line. This will tell you the site that was getting attacked:
    Code:
    zgrep ipaddress /var/www/vhosts/system/*/logs/*access*log*
    
     
    Last edited: Oct 19, 2017
    CoyoteKG likes this.
  4. gbotica

    gbotica Regular Pleskian

    19
    85%
    Joined:
    Mar 4, 2012
    Messages:
    104
    Likes Received:
    3
    Location:
    Auckland, New Zealand
    I assumed so ... but presumably the log path might be obtainable?
     
  5. danami

    danami Regular Pleskian

    30
    18%
    Joined:
    Mar 29, 2008
    Messages:
    214
    Likes Received:
    38
    Location:
    Canada
    > I assumed so ... but presumably the log path might be obtainable?
    Not unless you change the log format which isn't advisable as all the statistics programs and other regex want apache and nginx to use the same standard format. Best to just use the one liner above which will tell you want you want.
     
  6. gbotica

    gbotica Regular Pleskian

    19
    85%
    Joined:
    Mar 4, 2012
    Messages:
    104
    Likes Received:
    3
    Location:
    Auckland, New Zealand
    Hi,

    Thanks for the suggestions, I'll give that a try, though I'll use grep, instead of zgrep because I'm only concerned with the recent log files, and it's also way faster.

    Thanks again.
     
  7. gbotica

    gbotica Regular Pleskian

    19
    85%
    Joined:
    Mar 4, 2012
    Messages:
    104
    Likes Received:
    3
    Location:
    Auckland, New Zealand
    Hi,

    I've edited the actionban in /etc/fail2ban/action.d/sendmail.conf to:

    Code:
    actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
                Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
                From: <sendername> <<sender>>
                To: <dest>\n
                Hi,\n
                The IP <ip> has just been banned by Fail2Ban after
                <failures> attempts against <name>.\n
    	    Logs:\n `grep <ip> /var/www/vhosts/system/*/logs/*access*log`
                Regards,\n
                Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
    
    ... but the grep doesn't work. Any ideas why?
     
  8. gbotica

    gbotica Regular Pleskian

    19
    85%
    Joined:
    Mar 4, 2012
    Messages:
    104
    Likes Received:
    3
    Location:
    Auckland, New Zealand
    I've edited the new line to:

    Code:
    Logs:\n `grep -l <ip> /var/www/vhosts/system/*/logs/*access*log`
    In case the double-quotes in the grep output were messing things up, still doesn't work though, I just get "Logs: "

    Any reason that grep command isn't working?

    Thanks!
     
  9. gbotica

    gbotica Regular Pleskian

    19
    85%
    Joined:
    Mar 4, 2012
    Messages:
    104
    Likes Received:
    3
    Location:
    Auckland, New Zealand
    I've also tried:

    Code:
    Log:\n `grep -l --color=never <ip> /var/www/vhosts/system/*/logs/*access*log`
    Still no luck.
     
  10. danami

    danami Regular Pleskian

    30
    18%
    Joined:
    Mar 29, 2008
    Messages:
    214
    Likes Received:
    38
    Location:
    Canada
    That example command line isn't for fail2ban. Its just a command you can run to manually search all your logs so you can see what site is getting attacked.
     
  11. gbotica

    gbotica Regular Pleskian

    19
    85%
    Joined:
    Mar 4, 2012
    Messages:
    104
    Likes Received:
    3
    Location:
    Auckland, New Zealand
    Thanks for your response. So, it seems there's no way to display the path of the log file that contains the banned <ip> in the Fail2Ban action, such as `sendmail`.
     
Loading...