在带有 WordPress 和 WP fail2ban 插件的 LEMP 堆栈上,WordPress 身份验证问题可以完美地记录到 /var/log/messages。
$ sudo fail2ban-client version
0.9.2
在过去的几天里,我收到了大约 25,000 行这样的内容,是来自瑞典的一些暴力破解尝试:
Aug 17 10:48:58 ip-172-1-6-5 wordpress(mydomain.com)[29203]: Blocked authentication attempt for mydomain from 217.70.32.9
Aug 17 10:48:58 ip-172-1-6-5 wordpress(mydomain.com)[29204]: Blocked authentication attempt for mydomain from 217.70.32.9
Aug 17 10:48:58 ip-172-1-6-5 wordpress(mydomain.com)[29796]: Blocked authentication attempt for mydomain from 217.70.32.9
Aug 17 10:48:58 ip-172-1-6-5 wordpress(mydomain.com)[29203]: Blocked authentication attempt for mydomain from 217.70.32.9
Aug 17 10:48:58 ip-172-1-6-5 wordpress(mydomain.com)[29204]: Blocked authentication attempt for mydomain from 217.70.32.9
wordpress.conf jail 已启用并且正则表达式测试有效:
$ sudo fail2ban-regex /var/log/messages /etc/fail2ban/filter.d/wordpress.conf
Failregex: 25865 total
|- #) [# of hits] regular expression
| 1) [180] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?wordpress(?:\(\S+\))?[\]\)]?:?|[\[\(]?wordpress(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*Authentication failure for .* from <HOST>$
| 2) [25685] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?wordpress(?:\(\S+\))?[\]\)]?:?|[\[\(]?wordpress(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*Blocked authentication attempt for .* from <HOST>$
然而,没有人被禁止。
$ sudo fail2ban-client status wordpress
Status for the jail: wordpress
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/messages
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
确认firewalld知道这一点:
$ sudo ipset list
Name: fail2ban-wordpress
Type: hash:ip
Revision: 1
Header: family inet hashsize 1024 maxelem 65536 timeout 3600
Size in memory: 16528
References: 1
Members:
来自 jail.local
bantime = 3600
findtime = 600
banaction = firewallcmd-ipset
# Protect agains WP Login bruteforce attemps via
# https://wordpress.org/plugins/wp-fail2ban/installation/
[wordpress]
port = http,https
logpath = /var/log/messages
maxretry = 3
enabled = true
请注意,我们在一秒钟内获得了五次重试尝试,这当然会触发禁令。
虽然我并不是 SELinux 专家,但我没有在 /var/log/audit/audit.log 中看到有关 SELinux 阻止此功能工作的令人担忧的拒绝消息。
日志记录工作正常。正则表达式工作正常。Fail2Ban 运行正常。监狱已启用。Firewalld 正在等待结果。但什么也没发生。
手动禁止它也有效:
$ sudo fail2ban-client set wordpress banip 217.70.32.9
$ sudo fail2ban-client status wordpress
Status for the jail: wordpress
|- Filter
| |- Currently failed: 0
| |- Total failed: 3
| `- File list: /var/log/messages
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 217.70.32.9
$ sudo ipset list
Name: fail2ban-wordpress
Type: hash:ip
Revision: 1
Header: family inet hashsize 1024 maxelem 65536 timeout 3600
Size in memory: 16592
References: 1
Members:
217.70.32.9 timeout 3457
这似乎证实了我的 jail.local 正在被加载:
$ sudo fail2ban-client status
Status
|- Number of jail: 6
`- Jail list: 1, 2, 3, 4, 5, wordpress
我之前使用的是后端轮询,但现在正在运行 Gamin。将 Fail2Ban 日志级别设置为调试,当我错误地登录时,这似乎有效:
2015-08-18 22:57:52,874 fail2ban.filtergamin [29664]: DEBUG File changed: /var/log/messages
正则表达式检查器也不断增加其匹配数。但是,我仍然可以 2 分钟内执行 20 次而不会被禁止...
我下一步应该看哪里?
答案1
经过几个小时的折腾,我终于明白了 /var/log/messages 中的时间戳不同步了 2 个小时。当然,这会影响 fail2ban 找出 findtime。
$ timedatectl
Local time: Tue 2015-08-18 23:50:11 CEST
在 /var/log/messages 中:
Aug 18 21:50:11 ip-172-1-6-5 systemd: Started Time & Date Service.
解决:
$ sudo systemctl restart rsyslog.service
现在,我的登录失败会以正确的时间戳记录下来,而且事实上,我被禁止了。