• Plesk Uservoice will be deprecated by October. Moving forward, all product feature requests and improvement suggestions will be managed through our new platform Plesk Productboard.
    To continue sharing your ideas and feedback, please visit features.plesk.com

Issue Filter for plesk-wordpress jail does not work, any ideas?

SalvadorS

Regular Pleskian
Server operating system version
Debian 12
Plesk version and microupdate number
18.0.61
Hi,

It seems the default installation of fail2ban does not work to block wordpress logins.

For example, this is the log of one of our wordpress sites:

/var/www/vhosts/domain.es/logs/access_ssl_log:5.42.105.193 - - [31/May/2024:10:38:57 +0200] "POST /wp-login.php HTTP/1.0" 200 9869 "https://domain.es/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0"

/var/www/vhosts/domain.es/logs/access_ssl_log:5.42.105.193 - - [31/May/2024:10:38:57 +0200] "POST /wp-login.php HTTP/1.0" 200 9869 "https://domain.es/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0"

/var/www/vhosts/domain.es/logs/access_ssl_log:5.42.105.193 - - [31/May/2024:10:38:57 +0200] "POST /wp-login.php HTTP/1.0" 200 9869 "https://domain.es/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0"

/var/www/vhosts/domain.es/logs/access_ssl_log:5.42.105.193 - - [31/May/2024:10:38:57 +0200] "POST /wp-login.php HTTP/1.0" 200 9869 "https://domain.es/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0"

/var/www/vhosts/domain.es/logs/access_ssl_log:5.42.105.193 - - [31/May/2024:10:38:57 +0200] "POST /wp-login.php HTTP/1.0" 200 9869 "https://domain.es/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0"

And many more lines. However the IP is not blocked by the wordpress jail (or any other jail) So I assume this jail is not working. I didn´t change the filter of the jail:

[Definition]
failregex = ^<HOST>.* "POST .*/wp-login.php([/\?#\\].*)? HTTP/.*" 200
ignoreregex =

And didn´t touched anything in the jail itself.

So, can anybody please tell me how to tuning this in order to work?

Thank you
 
Hi there :)

Sounds like Resolved - Default plesk-wordpress fail2ban doesn't work. Do you have any other protection for the website (e.g. WAF)?

On my test server, I have a domain with almost empty WordPress (and without any protection :eek:), here is a test run from the server:
Code:
# fail2ban-regex /var/www/vhosts/example.org/logs/proxy_access_ssl_log /etc/fail2ban/filter.d/plesk-wordpress.conf
[...]
Failregex: 46 total
|-  #) [# of hits] regular expression
|   1) [46] ^<HOST>.* "POST .*/wp-login.php([/\?#\\].*)? HTTP/.*" 200
`-
[...]
Lines: 1089 lines, 0 ignored, 46 matched, 1043 missed
[processed in 0.35 sec]
[...]
 
Back
Top