У меня проблемы с работой фильтра WordPress Fail2Ban. Я установил плагин WP Fail2Ban, используя последнее обновление, в котором было несколько изменений, однако ничего не блокируется.
Вот строка журнала для неудачного входа в систему:
Apr 11 23:39:13 server wp(domain.com.au)[26365]: Authentication attempt for unknown user test2 from 123.456.789.000
Вот мой фильтр wordpress.conf:
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = (?:wordpress|wp)
failregex = ^%(__prefix_line)sAuthentication attempt for unknown user .* from <HOST>$
^%(__prefix_line)sBlocked authentication attempt for .* from <HOST>$
^%(__prefix_line)sBlocked user enumeration attempt from <HOST>$
^%(__prefix_line)sPingback error .* generated from <HOST>$
ignoreregex =
Мой jail.local:
[wordpress]
enabled = true
port = http,https
filter = wordpress
logpath = /var/log/auth.log
maxretry = 3
Когда я тестирую, запустив:
sudo fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/wordpress.conf
Я получаю это:
Running tests
=============
Use failregex file : /etc/fail2ban/filter.d/wordpress.conf
Use log file : /var/log/auth.log
Results
=======
Failregex: 5 total
|- #) [# of hits] regular expression
| 1) [5] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?(?:wordpress|wp)(?:\(\S+\))?[\]\)]?:?|[\[\(]?(?:wordpress|wp)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*Authentication attempt for unknown user .* from <HOST>$
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [273] MONTH Day Hour:Minute:Second
`-
Lines: 273 lines, 0 ignored, 5 matched, 268 missed
Missed line(s): too many to print. Use --print-all-missed to print all 268 lines
Он забирает его с помощью fail2ban-regex, но по какой-то причине запрета не происходит.
Проверить статус Wordpress:
sudo fail2ban-client status wordpress
Полученные результаты:
Status for the jail: wordpress
|- filter
| |- File list: /var/log/auth.log
| |- Currently failed: 0
| `- Total failed: 0
`- action
|- Currently banned: 0
| `- IP list:
`- Total banned: 0
Любые идеи?
Другие фильтры работают нормально, только этот нет. Может ли действие иметь к этому какое-то отношение? Я использую:
action = %(action_mwl)s
Спасибо
Редактировать: В соответствии с запросом, здесь 4 неудачных попытки входа из auth.log
Apr 12 19:29:06 server wp(domain.com.au)[26365]: Authentication attempt for unknown user test from 000.000.000.000
Apr 12 19:29:20 server wp(domain.com.au)[26519]: Authentication attempt for unknown user test from 000.000.000.000
Apr 12 19:29:31 server wp(domain.com.au)[26530]: Authentication attempt for unknown user test from 000.000.000.000
Apr 12 19:29:41 server wp(domain.com.au)[26365]: Authentication attempt for unknown user test from 000.000.000.000
Также вот мой Fail2Ban Jail.local (вкратце):
# Fail2Ban configuration file.
[DEFAULT]
ignoreip = 127.0.0.1/8
ignorecommand =
bantime = 2592000
findtime = 10000
maxretry = 4
backend = auto
usedns = warn
destemail = myemail@domain.com
sendername = Fail2Ban
sender = fail2ban@domain.com.au
banaction = iptables-multiport
mta = mail
protocol = tcp
chain = INPUT
# Action shortcuts. To be used to define action parameter
# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s", sendername="%(sendername)s"]
# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s", sendername="%(sendername)s"]
# Choose default action. To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_mwl)s
# JAILS
[ssh]
enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
[wordpress]
enabled = true
port = http,https
filter = wordpress
logpath = /var/log/auth.log
maxretry = 3
[ssh-ddos]
enabled = true
port = 25631
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 6
[nginx-http-auth]
enabled = true
filter = nginx-http-auth
port = http,https
logpath = /var/log/nginx/error.log
#Custom
[nginx-badbots]
enabled = true
port = http,https
filter = nginx-badbots
logpath = /var/log/nginx/access.log
maxretry = 2
[nginx-nohome]
enabled = true
port = http,https
filter = nginx-nohome
logpath = /var/log/nginx/access.log
maxretry = 2
[nginx-noproxy]
enabled = true
port = http,https
filter = nginx-noproxy
logpath = /var/log/nginx/access.log
maxretry = 2