Question Fail2Ban log. Which Wordpress instance is under attack

[CoyoteKG]

Is it possible somehow to tweak Fail2Ban log, to contain also which Wordpress instance was tried to log in, and Fail2Ban blocked it? That can be usefull if on server is hosted more then one Wordpress site.

For example, this morning, last 3 hours I have 208 tries to log in from different IP addresses, but I'm wondered what site is under attack.

At this moment is like this


Now I will analyze access logs manually, but it would be much easier to have also site name included in this log.

Or at least here

This report we receiving on mail, should contain access log path, or site name, and which jail banned this IP. It is much useful then "3 attempts against default".

Did someone tried to set this, and how?

 

[gbotica]

Hi,
The jail that was triggered is included, in your case it is 'default' -- that's the jail name.

I totally agree that log path or site domain would be helpful too.

 

[danami]

Unfortunately this isn't possible. fail2ban is scanning the sites access log and knows nothing about which host the log is under (host information isn't included in the log line)

Update:

Here is a one-liner so you can search for the IP address from the command line. This will tell you the site that was getting attacked:

zgrep ipaddress /var/www/vhosts/system/*/logs/*access*log*

 

[gbotica]

Unfortunately this isn't possible. fail2ban is scanning the sites access log and knows nothing about which host the log is under (host information isn't included in the log line)

I assumed so ... but presumably the log path might be obtainable?

 

[danami]

> I assumed so ... but presumably the log path might be obtainable?
Not unless you change the log format which isn't advisable as all the statistics programs and other regex want apache and nginx to use the same standard format. Best to just use the one liner above which will tell you want you want.

 

[gbotica]

Hi,

Thanks for the suggestions, I'll give that a try, though I'll use grep, instead of zgrep because I'm only concerned with the recent log files, and it's also way faster.

Thanks again.

 

[gbotica]

Hi,

I've edited the actionban in /etc/fail2ban/action.d/sendmail.conf to:

actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
            Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
            From: <sendername> <<sender>>
            To: <dest>\n
            Hi,\n
            The IP <ip> has just been banned by Fail2Ban after
            <failures> attempts against <name>.\n
	    Logs:\n `grep <ip> /var/www/vhosts/system/*/logs/*access*log`
            Regards,\n
            Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>

... but the grep doesn't work. Any ideas why?

 

[gbotica]

I've edited the new line to:

Logs:\n `grep -l <ip> /var/www/vhosts/system/*/logs/*access*log`

In case the double-quotes in the grep output were messing things up, still doesn't work though, I just get "Logs: "

Any reason that grep command isn't working?

Thanks!

 

[gbotica]

I've also tried:

Log:\n `grep -l --color=never <ip> /var/www/vhosts/system/*/logs/*access*log`

Still no luck.

 

[danami]

That example command line isn't for fail2ban. Its just a command you can run to manually search all your logs so you can see what site is getting attacked.

 

[gbotica]

Thanks for your response. So, it seems there's no way to display the path of the log file that contains the banned <ip> in the Fail2Ban action, such as `sendmail`.