• Dear Pleskians! The Plesk Forum will be undergoing scheduled maintenance on Monday, 7th of July, at 9:00 AM UTC. The expected maintenance window is 2 hours.
    Thank you in advance for your patience and understanding on the matter.

Issue Filter for plesk-wordpress jail does not work, any ideas?

S

SalvadorS

Regular Pleskian
Server operating system version
Debian 12
Plesk version and microupdate number
18.0.61
Hi,

It seems the default installation of fail2ban does not work to block wordpress logins.

For example, this is the log of one of our wordpress sites:

/var/www/vhosts/domain.es/logs/access_ssl_log:5.42.105.193 - - [31/May/2024:10:38:57 +0200] "POST /wp-login.php HTTP/1.0" 200 9869 "https://domain.es/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0"

/var/www/vhosts/domain.es/logs/access_ssl_log:5.42.105.193 - - [31/May/2024:10:38:57 +0200] "POST /wp-login.php HTTP/1.0" 200 9869 "https://domain.es/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0"

/var/www/vhosts/domain.es/logs/access_ssl_log:5.42.105.193 - - [31/May/2024:10:38:57 +0200] "POST /wp-login.php HTTP/1.0" 200 9869 "https://domain.es/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0"

/var/www/vhosts/domain.es/logs/access_ssl_log:5.42.105.193 - - [31/May/2024:10:38:57 +0200] "POST /wp-login.php HTTP/1.0" 200 9869 "https://domain.es/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0"

/var/www/vhosts/domain.es/logs/access_ssl_log:5.42.105.193 - - [31/May/2024:10:38:57 +0200] "POST /wp-login.php HTTP/1.0" 200 9869 "https://domain.es/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0"
Click to expand...

And many more lines. However the IP is not blocked by the wordpress jail (or any other jail) So I assume this jail is not working. I didn´t change the filter of the jail:

[Definition]
failregex = ^<HOST>.* "POST .*/wp-login.php([/\?#\\].*)? HTTP/.*" 200
ignoreregex =
Click to expand...

And didn´t touched anything in the jail itself.

So, can anybody please tell me how to tuning this in order to work?

Thank you
 
Hi there :)

Sounds like Resolved - Default plesk-wordpress fail2ban doesn't work. Do you have any other protection for the website (e.g. WAF)?

On my test server, I have a domain with almost empty WordPress (and without any protection :eek:), here is a test run from the server:
Code: 
# fail2ban-regex /var/www/vhosts/example.org/logs/proxy_access_ssl_log /etc/fail2ban/filter.d/plesk-wordpress.conf
[...]
Failregex: 46 total
|-  #) [# of hits] regular expression
|   1) [46] ^<HOST>.* "POST .*/wp-login.php([/\?#\\].*)? HTTP/.*" 200
`-
[...]
Lines: 1089 lines, 0 ignored, 46 matched, 1043 missed
[processed in 0.35 sec]
[...]
 
You must log in or register to reply here.

Similar threads

J
Resolved Default plesk-wordpress fail2ban doesn't work
Replies
4
Views
3K
Mark_NLD
M
P
Question Getting X-Forwarded-For IP address from behind a nginx proxy server
Replies
4
Views
4K
philglau
P
M
Question Has my site been attacked?
Replies
8
Views
2K
Peter Debik
P
W
Resolved Awstats error refused connetion
Replies
2
Views
2K
WiseWill
W
J
Issue Default plesk-wordpress fail2ban doesn't work
Replies
6
Views
2K
Peter Debik
P
Back
Top