Fail2Ban WordPress 过滤器在 Debian VPS 上不起作用

tag-icon tag-icon linux security wordpress fail2ban ids
Fail2Ban WordPress 过滤器在 Debian VPS 上不起作用

我无法让 WordPress Fail2Ban 过滤器正常工作。我使用最新更新安装了 WP Fail2Ban 插件,该更新有一些变化,但是没有阻止任何内容。

以下是登录失败的日志行:

Apr 11 23:39:13 server wp(domain.com.au)[26365]: Authentication attempt for unknown user test2 from 123.456.789.000

这是我的 wordpress.conf 过滤器:

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from

# common.local

before = common.conf

[Definition]

_daemon = (?:wordpress|wp)

failregex = ^%(__prefix_line)sAuthentication attempt for unknown user .* from <HOST>$
        ^%(__prefix_line)sBlocked authentication attempt for .* from <HOST>$
        ^%(__prefix_line)sBlocked user enumeration attempt from <HOST>$
        ^%(__prefix_line)sPingback error .* generated from <HOST>$

ignoreregex =

我的jail.local:

[wordpress]

enabled = true

port = http,https

filter = wordpress

logpath = /var/log/auth.log

maxretry = 3

当我通过运行进行测试时:

sudo fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/wordpress.conf

我明白了:

Running tests

=============

Use   failregex file : /etc/fail2ban/filter.d/wordpress.conf

Use         log file : /var/log/auth.log


Results

=======

Failregex: 5 total

|-  #) [# of hits] regular expression
|   1) [5] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?(?:wordpress|wp)(?:\(\S+\))?[\]\)]?:?|[\[\(]?(?:wordpress|wp)(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*Authentication attempt for unknown user .* from <HOST>$
`-

Ignoreregex: 0 total

Date template hits:

|- [# of hits] date format

|  [273] MONTH Day Hour:Minute:Second

`-

Lines: 273 lines, 0 ignored, 5 matched, 268 missed

Missed line(s): too many to print.  Use --print-all-missed to print all 268 lines

它使用 fail2ban-regex 进行拾取,但由于某种原因,没有发生禁止。

检查Wordpress状态:

sudo fail2ban-client status wordpress

结果:

Status for the jail: wordpress

|- filter

|  |- File list:    /var/log/auth.log

|  |- Currently failed: 0

|  `- Total failed: 0

`- action

|- Currently banned:    0

|  `- IP list:

`- Total banned:    0

有任何想法吗?

其他过滤器工作正常,只有这个不行。操作可能与此有关吗?我正在使用:

action = %(action_mwl)s

谢谢

编辑: 根据请求,这里是来自 auth.log 的 4 次失败登录尝试

Apr 12 19:29:06 server wp(domain.com.au)[26365]: Authentication attempt for unknown user test from 000.000.000.000

Apr 12 19:29:20 server wp(domain.com.au)[26519]: Authentication attempt for unknown user test from 000.000.000.000

Apr 12 19:29:31 server wp(domain.com.au)[26530]: Authentication attempt for unknown user test from 000.000.000.000

Apr 12 19:29:41 server wp(domain.com.au)[26365]: Authentication attempt for unknown user test from 000.000.000.000

以下是我的 Fail2Ban Jail.local(摘要):

# Fail2Ban configuration file.

[DEFAULT]

ignoreip = 127.0.0.1/8 

ignorecommand =

bantime  = 2592000

findtime = 10000

maxretry = 4

backend = auto

usedns = warn

destemail = [email protected]

sendername = Fail2Ban

sender = [email protected]

banaction = iptables-multiport

mta = mail

protocol = tcp

chain = INPUT

# Action shortcuts. To be used to define action parameter

# The simplest action to take: ban only

action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

# ban & send an e-mail with whois report to the destemail.

action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
          %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s", sendername="%(sendername)s"]

# ban & send an e-mail with whois report and relevant log lines

# to the destemail.

action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
           %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s", sendername="%(sendername)s"]

# Choose default action.  To change, just override value of 'action' with the

# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local

# globally (section [DEFAULT]) or per specific section

action = %(action_mwl)s

# JAILS

[ssh]

enabled  = true

port     = 22

filter   = sshd

logpath  = /var/log/auth.log

maxretry = 3

[wordpress]

enabled = true

port = http,https

filter = wordpress

logpath = /var/log/auth.log

maxretry = 3

[ssh-ddos]

enabled  = true

port     = 25631

filter   = sshd-ddos

logpath  = /var/log/auth.log

maxretry = 6

[nginx-http-auth]

enabled = true

filter  = nginx-http-auth

port    = http,https

logpath = /var/log/nginx/error.log

#Custom

[nginx-badbots]

enabled  = true

port     = http,https

filter   = nginx-badbots

logpath  = /var/log/nginx/access.log

maxretry = 2

[nginx-nohome]

enabled  = true

port     = http,https

filter   = nginx-nohome

logpath  = /var/log/nginx/access.log

maxretry = 2

[nginx-noproxy]

enabled  = true

port     = http,https

filter   = nginx-noproxy

logpath  = /var/log/nginx/access.log 

maxretry = 2

相关内容