UFW 未阻止 IP

tag-icon tag-icon 16.04 ufw fail2ban
UFW 未阻止 IP

所以我正在使用 fail2ban、ufw 和 wordpress(NGINX)。

我制作了一个插件,用于在登录失败时创建 401

function wp_login_failed_403_res() {
  status_header(403);
}
add_action( 'wp_login_failed', 'wp_login_failed_403_res' );

Ofc fail2ban 已安装并且 UFW 已激活。

在 jail.local 里面我有这个

[wordpress]

enabled  = true
port     = http,https
filter   = wordpress-login
logpath  = /var/www/site.com/logs/site_nginx.access.log
banaction = ufw-nginx
bantime  = 60
maxretry = 3

在 action.d/ufw-nginx 里面我有这个

[Definition]
actionstart =
actionstop =
actioncheck =
actionban = ufw insert 1 deny from <ip> to any app "Nginx Full"
actionunban = ufw delete deny from <ip> to any app "Nginx Full"

在 filter.d/wordpress-login 中我有这个:

[Definition]
failregex = <HOST>.*POST.*(wp-login\.php|xmlrpc\.php).* 401
ignoreregex =

所以我试图阻止自己:) 我正在查看日志,我可以看到 nginx 在每次登录失败时都会注册 401。

fail2ban 日志显示如下:

2017-11-21 20:23:55,906 fail2ban.filter         [10049]: INFO    [wordpress] Found ip.adress.here.xx
2017-11-21 20:24:50,330 fail2ban.actions        [10049]: NOTICE  [wordpress] Unban ip.adress.here.xx
2017-11-21 20:34:10,758 fail2ban.filter         [10049]: INFO    [wordpress] Found ip.adress.here.xx
2017-11-21 20:34:13,642 fail2ban.filter         [10049]: INFO    [wordpress] Found ip.adress.here.xx
2017-11-21 20:34:16,704 fail2ban.filter         [10049]: INFO    [wordpress] Found ip.adress.here.xx
2017-11-21 20:34:17,184 fail2ban.actions        [10049]: NOTICE  [wordpress] Ban ip.adress.here.xx
2017-11-21 20:34:19,240 fail2ban.filter         [10049]: INFO    [wordpress] Found ip.adress.here.xx
2017-11-21 20:34:21,789 fail2ban.filter         [10049]: INFO    [wordpress] Found ip.adress.here.xx
2017-11-21 20:34:25,776 fail2ban.filter         [10049]: INFO    [wordpress] Found ip.adress.here.xx
2017-11-21 20:34:26,508 fail2ban.actions        [10049]: NOTICE  [wordpress] ip.adress.here.xx already banned

UFW 表示:

# ufw status                                                                              
Status: active

To                         Action      From
--                         ------      ----
Nginx Full                 DENY        ip.adress.here.xx
OpenSSH                    DENY        other.ip.adress.xxx

被禁言后我仍然可以访问和登录(在 fail2ban 解除对我的禁言之前)

我是不是遗漏了什么?

答案1

看起来您返回了 403:

function wp_login_failed_403_res() {
  status_header(403);
}
add_action( 'wp_login_failed', 'wp_login_failed_403_res' );

检查 401:

[Definition]
failregex = <HOST>.*POST.*(wp-login\.php|xmlrpc\.php).* 401
ignoreregex =

此外,您可能应该检查日志文件中写入的确切日志消息,并验证您的正则表达式是否与该行匹配。

相关内容