• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion
  • Please beaware of a breaking change in the REST API on the next Plesk release (18.0.62).
    Starting from Plesk Obsidian 18.0.62, requests to REST API containing the Content-Type header with a media-type directive other than “application/json” will result in the HTTP “415 Unsupported Media Type” client error response code. Read more here

Issue Filter for plesk-wordpress jail does not work, any ideas?

S

SalvadorS

Regular Pleskian
Server operating system version
Debian 12
Plesk version and microupdate number
18.0.61
Hi,

It seems the default installation of fail2ban does not work to block wordpress logins.

For example, this is the log of one of our wordpress sites:

/var/www/vhosts/domain.es/logs/access_ssl_log:5.42.105.193 - - [31/May/2024:10:38:57 +0200] "POST /wp-login.php HTTP/1.0" 200 9869 "https://domain.es/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0"

/var/www/vhosts/domain.es/logs/access_ssl_log:5.42.105.193 - - [31/May/2024:10:38:57 +0200] "POST /wp-login.php HTTP/1.0" 200 9869 "https://domain.es/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0"

/var/www/vhosts/domain.es/logs/access_ssl_log:5.42.105.193 - - [31/May/2024:10:38:57 +0200] "POST /wp-login.php HTTP/1.0" 200 9869 "https://domain.es/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0"

/var/www/vhosts/domain.es/logs/access_ssl_log:5.42.105.193 - - [31/May/2024:10:38:57 +0200] "POST /wp-login.php HTTP/1.0" 200 9869 "https://domain.es/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0"

/var/www/vhosts/domain.es/logs/access_ssl_log:5.42.105.193 - - [31/May/2024:10:38:57 +0200] "POST /wp-login.php HTTP/1.0" 200 9869 "https://domain.es/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0"
Click to expand...

And many more lines. However the IP is not blocked by the wordpress jail (or any other jail) So I assume this jail is not working. I didn´t change the filter of the jail:

[Definition]
failregex = ^<HOST>.* "POST .*/wp-login.php([/\?#\\].*)? HTTP/.*" 200
ignoreregex =
Click to expand...

And didn´t touched anything in the jail itself.

So, can anybody please tell me how to tuning this in order to work?

Thank you
 
Hi there :)

Sounds like Resolved - Default plesk-wordpress fail2ban doesn't work. Do you have any other protection for the website (e.g. WAF)?

On my test server, I have a domain with almost empty WordPress (and without any protection :eek:), here is a test run from the server:
Code: 
# fail2ban-regex /var/www/vhosts/example.org/logs/proxy_access_ssl_log /etc/fail2ban/filter.d/plesk-wordpress.conf
[...]
Failregex: 46 total
|-  #) [# of hits] regular expression
|   1) [46] ^<HOST>.* "POST .*/wp-login.php([/\?#\\].*)? HTTP/.*" 200
`-
[...]
Lines: 1089 lines, 0 ignored, 46 matched, 1043 missed
[processed in 0.35 sec]
[...]
 
You must log in or register to reply here.

Similar threads

J
Resolved Default plesk-wordpress fail2ban doesn't work
Replies
4
Views
1K
Mark_NLD
M
M
Question Has my site been attacked?
Replies
8
Views
1K
Peter Debik
P
W
Resolved Awstats error refused connetion
Replies
2
Views
1K
WiseWill
W
F
Issue Fail2ban bans users accessing websites
Replies
7
Views
1K
Mark_NLD
M
I
Question Fail2ban error
Replies
0
Views
835
Inma
I
Back
Top