Issue Filter for plesk-wordpress jail does not work, any ideas?

[SalvadorS]

Server operating system version

Debian 12

Plesk version and microupdate number

18.0.61

Hi,

It seems the default installation of fail2ban does not work to block wordpress logins.

For example, this is the log of one of our wordpress sites:

/var/www/vhosts/domain.es/logs/access_ssl_log:5.42.105.193 - - [31/May/2024:10:38:57 +0200] "POST /wp-login.php HTTP/1.0" 200 9869 "https://domain.es/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0"

/var/www/vhosts/domain.es/logs/access_ssl_log:5.42.105.193 - - [31/May/2024:10:38:57 +0200] "POST /wp-login.php HTTP/1.0" 200 9869 "https://domain.es/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0"

/var/www/vhosts/domain.es/logs/access_ssl_log:5.42.105.193 - - [31/May/2024:10:38:57 +0200] "POST /wp-login.php HTTP/1.0" 200 9869 "https://domain.es/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0"

/var/www/vhosts/domain.es/logs/access_ssl_log:5.42.105.193 - - [31/May/2024:10:38:57 +0200] "POST /wp-login.php HTTP/1.0" 200 9869 "https://domain.es/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0"

/var/www/vhosts/domain.es/logs/access_ssl_log:5.42.105.193 - - [31/May/2024:10:38:57 +0200] "POST /wp-login.php HTTP/1.0" 200 9869 "https://domain.es/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0"

And many more lines. However the IP is not blocked by the wordpress jail (or any other jail) So I assume this jail is not working. I didn´t change the filter of the jail:

[Definition]
failregex = ^<HOST>.* "POST .*/wp-login.php([/\?#\\].*)? HTTP/.*" 200
ignoreregex =

And didn´t touched anything in the jail itself.

So, can anybody please tell me how to tuning this in order to work?

Thank you

 

[AYamshanov]

Hi there

Sounds like Resolved - Default plesk-wordpress fail2ban doesn't work. Do you have any other protection for the website (e.g. WAF)?

On my test server, I have a domain with almost empty WordPress (and without any protection ), here is a test run from the server:

# fail2ban-regex /var/www/vhosts/example.org/logs/proxy_access_ssl_log /etc/fail2ban/filter.d/plesk-wordpress.conf
[...]
Failregex: 46 total
|-  #) [# of hits] regular expression
|   1) [46] ^<HOST>.* "POST .*/wp-login.php([/\?#\\].*)? HTTP/.*" 200
`-
[...]
Lines: 1089 lines, 0 ignored, 46 matched, 1043 missed
[processed in 0.35 sec]
[...]