apache error wp-login.php & testproxy.php not found or unable to stat

July 15, 2017 2k views
Apache Security WordPress Ubuntu

Hi I've been getting these errors in my apache error log (/var/log/apache2/error.log) -

[Fri Jul 14 20:03:05.655198 2017] [:error] [pid 27999] [client] script '/var/www/html/wp-login.php' not found or unable to stat
[Sat Jul 15 00:47:36.775033 2017] [:error] [pid 30209] [client] script '/var/www/html/testproxy.php' not found or unable to stat

I've installed fail2ban and can see in the log (/var/log/fail2ban.log) its been banning IPs for the jails setup -

2017-07-15 01:01:11,573 fail2ban.actions: WARNING [wordpress-login] Ban
2017-07-15 07:48:29,518 fail2ban.actions: WARNING [wordpress-xmlrpc] Ban
2017-07-15 07:48:30,312 fail2ban.actions: WARNING [http-get-dos] Ban
2017-07-15 07:57:15,893 fail2ban.actions: WARNING [ssh] Ban
2017-07-15 07:57:16,139 fail2ban.actions: WARNING [apache-nokiddies] Ban

What can I do to stop wp-login.php and testproxy.php from appearing in the apache error log? Have I setup fail2ban wrong or am I missing something?

Below are all the fails inside jail.local -

enabled = true
filter = wordpress-hard
logpath =  /var/log/auth.log
maxretry = 1
port = http,https

enabled  = true
filter   = wordpress-xmlrpc
action   = iptables-multiport[name=WordPressXMLRPC, port="http,https"]
logpath  = /var/log/apache2/*access.log
maxretry = 1

enabled = true
port = http,https
filter = wordpress-login
action = iptables-multiport[name=wordpress, port="http,https", protocol=tcp]
logpath = /var/log/apache2/*access.log
maxretry = 2

enabled = true
filter = cron
action = iptables[name=cron, port="http,https", protocol=tcp]
logpath = /var/log/apache2/access.log
maxretry = 1

enabled  = true
port     = http,https
filter   = apache-livewhale
logpath  = /var/log/apache*/*error.log
maxretry = 0

enabled = true
port = http,https
filter = http-get-dos
logpath = /var/log/apache2/access.log
maxretry = 1
action = iptables[name=HTTP, port=http, protocol=tcp]

enabled  = true
port     = http,https
filter   = apache-nokiddies
logpath  = /var/log/apache*/*access.log
maxretry = 1


failregex = ^<HOST> -.*"(GET|POST).*
ignoreregex =


failregex = ^<HOST> .*"GET .*w00tw00t
# try to access to admin directory
            ^<HOST> .*"GET .*admin.* 403
            ^<HOST> .*"GET .*admin.* 404
# try to access to install directory
            ^<HOST> .*"GET .*install.* 404
# try to access to phpmyadmin
            ^<HOST> .*"GET .*dbadmin.* 404
            ^<HOST> .*"GET .*myadmin.* 404
            ^<HOST> .*"GET .*MyAdmin.* 404
            ^<HOST> .*"GET .*mysql.* 404
            ^<HOST> .*"GET .*websql.* 404
            ^<HOST> .*"GET \/pma\/.* 404
# try to access to wordpress (we use another CMS)
            ^<HOST> .*"GET .*wp-content.* 404
            ^<HOST> .*"GET .*wp-login.* 404
# try to access to typo3 (we use another CMS)
            ^<HOST> .*"GET .*typo3.* 404
# try to access to tomcat (we do not use it)      
            ^<HOST> .*"HEAD .*manager.* 404
# try to access various strange scripts and malwares
            ^<HOST> .*"HEAD .*blackcat.* 404
            ^<HOST> .*"HEAD .*sprawdza.php.* 404

ignoreregex = 


before = common.conf


acunetix = response\.write\(\d+\*\d+\)|now\(\)|sysdate\(\)|sleep\(\d*\)|waitfor delay|pg_sleep\(\d*\)|';|' AND|" AND|set\|set\&set|SomeCustomInjectedHeader|;select
acunetix_invalid = /etc/|/invalid
kidc = GetSimple_2\.01|Factux|Madirish_Webmail|idioma|jevoncms|facil-cms|phpunity\.newsmanager|dloadstplates|phpdirectorgameedition|tendersystem|mariecms|microcms|micro_cms_files|vtigercrm|dnet_admin|FunGamez|kipper20|skysilver
ripe = ACGVnews|AdaptCMS_Lite_1\.4_2|BetaBlockModules|Contenido_4\.8\.4|DFF_PHP_FrameworkAPI-latest|Dir_phNNTP|DynaTracker_v151|Easysite-2\.0_path|FormTools1_5_0|Mamblog|NuclearBB|OpenSiteAdmin|PHPDJ_v05|SPIP-v1-7-2|SQuery|SazCart|WordPress_Files|advanced_comment_system|modx-0\.9\.6\.2|mxBB|olbookmarks-0\.7\.4|ossigeno-suite-2\.2_pre1|phpAdsNew-2\.0\.7|phpBB2|phpMyConferences_8\.0\.2|phpQLAdmin-2\.2\.7|phpSiteBackup-0\.1|plume-1\.1\.3|pmapper-3\.2-beta3|pmi_v28|podcastgen1\.0beta2|post_static_0-11|qsgen_0\.7\.2c
ripe_nostat = 123flashchat|BE_config|CoupleDB|MOD_forum_fields_parse|addvip|admin\.loudmouth|anzagien|auth\.sessions\.inc|b2verifauth|bb_admin|ch_readalso|cls_fast_template|ezusermanager_pwd_forgott|fcring|fonctions_racine|hioxBannerRotate|functions_user_viewed_posts|pafiledb_constants|themen_portal_mitte|usercp_register|migrateNE2toNE3|naboard_pnr|nukebrowser|php-include-robotsservices

# Option:  failregex
# Notes.:  Regexp to catch vulnerability scanners.
# Values:  TEXT
failregex = ^\[[^\]]+\] \[error\] \[client <HOST>\].*File does not exist: .*(%(acunetix)s).*$
            ^\[[^\]]+\] \[error\] \[client <HOST>\].*Invalid URI in request .*(%(acunetix_invalid)s).*$
            ^\[[^\]]+\] \[error\] \[client <HOST>\].*File does not exist: .*/(%(kidc)s)$
            ^\[[^\]]+\] \[error\] \[client <HOST>\].*File does not exist: .*/(%(ripe)s)$
            ^\[[^\]]+\] \[error\] \[client <HOST>\].*script .*/(%(ripe_nostat)s)\.php.* unable to stat$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
ignoreregex =


failregex = ^<HOST> .*POST .*wp-cron\.php.*
ignoreregex =


before = common.conf
_daemon = (?:wordpress|wp)
failregex = ^%(__prefix_line)sAuthentication attempt for unknown user .* from <HOST>$
            ^%(__prefix_line)sBlocked user enumeration attempt from <HOST>$
            ^%(__prefix_line)sBlocked authentication attempt for .* from <HOST>$
            ^%(__prefix_line)sPingback error .* generated from <HOST>$
            ^%(__prefix_line)sSpam comment \d+ from <HOST>$
            ^%(__prefix_line)sXML-RPC authentication attempt for unknown user .* from <HOST>$
            ^%(__prefix_line)sXML-RPC multicall authentication failure from <HOST>$
ignoreregex =


failregex = ^<HOST> .*POST .*xmlrpc\.php.*
ignoreregex =


failregex = ^<HOST> .* "POST .*wp-login.php
ignoreregex =
1 Answer

> What can I do to stop wp-login.php and testproxy.php from appearing in the apache error log?

For fail2ban to work, I believe you need these items to appear in your error log. Fail2ban reads the error log, checks for these items, and then bans the offenders using iptables.

Hope this helps :)

Have another answer? Share your knowledge.