• Hi, Pleskians! We are running a UX testing of our upcoming product intended for server management and monitoring.
    We would like to invite you to have a call with us and have some fun checking our prototype. The agenda is pretty simple - we bring new design and some scenarios that you need to walk through and succeed. We will be watching and taking insights for further development of the design.
    If you would like to participate, please use this link to book a meeting. We will sent the link to the clickable prototype at the meeting.
  • Our UX team believes in the in the power of direct feedback and would like to invite you to participate in interviews, tests, and surveys.
    To stay in the loop and never miss an opportunity to share your thoughts, please subscribe to our UX research program. If you were previously part of the Plesk UX research program, please re-subscribe to continue receiving our invitations.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Question Fail2Ban log. Which Wordpress instance is under attack

K

kojot

Regular Pleskian
Is it possible somehow to tweak Fail2Ban log, to contain also which Wordpress instance was tried to log in, and Fail2Ban blocked it? That can be usefull if on server is hosted more then one Wordpress site.

For example, this morning, last 3 hours I have 208 tries to log in from different IP addresses, but I'm wondered what site is under attack.

At this moment is like this
fail2ban.JPG

Now I will analyze access logs manually, but it would be much easier to have also site name included in this log.

Or at least here
upload_2017-10-19_11-30-31.png
This report we receiving on mail, should contain access log path, or site name, and which jail banned this IP. It is much useful then "3 attempts against default".

Did someone tried to set this, and how? :)
 
Hi,
The jail that was triggered is included, in your case it is 'default' -- that's the jail name.

I totally agree that log path or site domain would be helpful too.
 
Unfortunately this isn't possible. fail2ban is scanning the sites access log and knows nothing about which host the log is under (host information isn't included in the log line)

Update:

Here is a one-liner so you can search for the IP address from the command line. This will tell you the site that was getting attacked:
Code: 
zgrep ipaddress /var/www/vhosts/system/*/logs/*access*log*
 
Last edited:
danami said:
Unfortunately this isn't possible. fail2ban is scanning the sites access log and knows nothing about which host the log is under (host information isn't included in the log line)
Click to expand...

I assumed so ... but presumably the log path might be obtainable?
 
> I assumed so ... but presumably the log path might be obtainable?
Not unless you change the log format which isn't advisable as all the statistics programs and other regex want apache and nginx to use the same standard format. Best to just use the one liner above which will tell you want you want.
 
Hi,

Thanks for the suggestions, I'll give that a try, though I'll use grep, instead of zgrep because I'm only concerned with the recent log files, and it's also way faster.

Thanks again.
 
Hi,

I've edited the actionban in /etc/fail2ban/action.d/sendmail.conf to:

Code: 
actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
            Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
            From: <sendername> <<sender>>
            To: <dest>\n
            Hi,\n
            The IP <ip> has just been banned by Fail2Ban after
            <failures> attempts against <name>.\n
	    Logs:\n `grep <ip> /var/www/vhosts/system/*/logs/*access*log`
            Regards,\n
            Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>

... but the grep doesn't work. Any ideas why?
 
I've edited the new line to:

Code: 
Logs:\n `grep -l <ip> /var/www/vhosts/system/*/logs/*access*log`

In case the double-quotes in the grep output were messing things up, still doesn't work though, I just get "Logs: "

Any reason that grep command isn't working?

Thanks!
 
I've also tried:

Code: 
Log:\n `grep -l --color=never <ip> /var/www/vhosts/system/*/logs/*access*log`

Still no luck.
 
That example command line isn't for fail2ban. Its just a command you can run to manually search all your logs so you can see what site is getting attacked.
 
Thanks for your response. So, it seems there's no way to display the path of the log file that contains the banned <ip> in the Fail2Ban action, such as `sendmail`.
 
You must log in or register to reply here.

Similar threads

brother4
Question Why isn't xmlrpc.php monitored by the WordPress jail in Fail2Ban?
Replies
8
Views
2K
Maarten
M
andreios
Issue Fail2ban WordPress login detection doesn't work and fail2ban couldn't be configured trough Plesk
Replies
2
Views
913
andreios
andreios
J
fail2ban: plesk-wordpress jail is to restrictive
Replies
1
Views
6K
Kaspar@Plesk
Kaspar@Plesk
S
Issue Plesk not showing correct IPs in error logs and is blocking cloudflare IPs in fail 2 ban resulting in server going down.
Replies
4
Views
843
sulabhpuri
S
TimReeves
Fail2Ban Jail needed for /var/log/sw-cp-server/error_log
Replies
5
Views
7K
roon
R
Back
Top