• Plesk Uservoice will be deprecated by October. Moving forward, all product feature requests and improvement suggestions will be managed through our new platform Plesk Productboard.
    To continue sharing your ideas and feedback, please visit features.plesk.com

Issue Filter for plesk-wordpress jail does not work, any ideas?

S

SalvadorS

Regular Pleskian
Server operating system version
Debian 12
Plesk version and microupdate number
18.0.61
Hi,

It seems the default installation of fail2ban does not work to block wordpress logins.

For example, this is the log of one of our wordpress sites:

/var/www/vhosts/domain.es/logs/access_ssl_log:5.42.105.193 - - [31/May/2024:10:38:57 +0200] "POST /wp-login.php HTTP/1.0" 200 9869 "https://domain.es/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0"

/var/www/vhosts/domain.es/logs/access_ssl_log:5.42.105.193 - - [31/May/2024:10:38:57 +0200] "POST /wp-login.php HTTP/1.0" 200 9869 "https://domain.es/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0"

/var/www/vhosts/domain.es/logs/access_ssl_log:5.42.105.193 - - [31/May/2024:10:38:57 +0200] "POST /wp-login.php HTTP/1.0" 200 9869 "https://domain.es/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0"

/var/www/vhosts/domain.es/logs/access_ssl_log:5.42.105.193 - - [31/May/2024:10:38:57 +0200] "POST /wp-login.php HTTP/1.0" 200 9869 "https://domain.es/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0"

/var/www/vhosts/domain.es/logs/access_ssl_log:5.42.105.193 - - [31/May/2024:10:38:57 +0200] "POST /wp-login.php HTTP/1.0" 200 9869 "https://domain.es/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0"
Click to expand...

And many more lines. However the IP is not blocked by the wordpress jail (or any other jail) So I assume this jail is not working. I didn´t change the filter of the jail:

[Definition]
failregex = ^<HOST>.* "POST .*/wp-login.php([/\?#\\].*)? HTTP/.*" 200
ignoreregex =
Click to expand...

And didn´t touched anything in the jail itself.

So, can anybody please tell me how to tuning this in order to work?

Thank you
 
Hi there :)

Sounds like Resolved - Default plesk-wordpress fail2ban doesn't work. Do you have any other protection for the website (e.g. WAF)?

On my test server, I have a domain with almost empty WordPress (and without any protection :eek:), here is a test run from the server:
Code: 
# fail2ban-regex /var/www/vhosts/example.org/logs/proxy_access_ssl_log /etc/fail2ban/filter.d/plesk-wordpress.conf
[...]
Failregex: 46 total
|-  #) [# of hits] regular expression
|   1) [46] ^<HOST>.* "POST .*/wp-login.php([/\?#\\].*)? HTTP/.*" 200
`-
[...]
Lines: 1089 lines, 0 ignored, 46 matched, 1043 missed
[processed in 0.35 sec]
[...]
 
You must log in or register to reply here.

Similar threads

J
Resolved Default plesk-wordpress fail2ban doesn't work
Replies
4
Views
3K
Mark_NLD
M
P
Question Getting X-Forwarded-For IP address from behind a nginx proxy server
Replies
4
Views
5K
philglau
P
M
Question Has my site been attacked?
Replies
8
Views
2K
Peter Debik
P
W
Resolved Awstats error refused connetion
Replies
2
Views
2K
WiseWill
W
F
Issue Fail2ban bans users accessing websites
Replies
7
Views
2K
Mark_NLD
M
Back
Top