Question

apache error wp-login.php & testproxy.php not found or unable to stat

Hi I’ve been getting these errors in my apache error log (/var/log/apache2/error.log) -

[Fri Jul 14 20:03:05.655198 2017] [:error] [pid 27999] [client 158.69.6.133:52294] script '/var/www/html/wp-login.php' not found or unable to stat
[Sat Jul 15 00:47:36.775033 2017] [:error] [pid 30209] [client 91.196.50.33:55531] script '/var/www/html/testproxy.php' not found or unable to stat

I’ve installed fail2ban and can see in the log (/var/log/fail2ban.log) its been banning IPs for the jails setup -

2017-07-15 01:01:11,573 fail2ban.actions: WARNING [wordpress-login] Ban 78.188.97.162
2017-07-15 07:48:29,518 fail2ban.actions: WARNING [wordpress-xmlrpc] Ban 79.113.42.94
2017-07-15 07:48:30,312 fail2ban.actions: WARNING [http-get-dos] Ban 113.62.25.96
2017-07-15 07:57:15,893 fail2ban.actions: WARNING [ssh] Ban 165.227.8.24
2017-07-15 07:57:16,139 fail2ban.actions: WARNING [apache-nokiddies] Ban 220.130.181.50

What can I do to stop wp-login.php and testproxy.php from appearing in the apache error log? Have I setup fail2ban wrong or am I missing something?

Below are all the fails inside jail.local -

[wordpress-hard]
enabled = true
filter = wordpress-hard
logpath =  /var/log/auth.log
maxretry = 1
port = http,https

[wordpress-xmlrpc]
enabled  = true
filter   = wordpress-xmlrpc
action   = iptables-multiport[name=WordPressXMLRPC, port="http,https"]
logpath  = /var/log/apache2/*access.log
maxretry = 1

[wordpress-login]
enabled = true
port = http,https
filter = wordpress-login
action = iptables-multiport[name=wordpress, port="http,https", protocol=tcp]
logpath = /var/log/apache2/*access.log
maxretry = 2

[cron]
enabled = true
filter = cron
action = iptables[name=cron, port="http,https", protocol=tcp]
logpath = /var/log/apache2/access.log
maxretry = 1

[apache-livewhale]
enabled  = true
port     = http,https
filter   = apache-livewhale
logpath  = /var/log/apache*/*error.log
maxretry = 0

[http-get-dos]
enabled = true
port = http,https
filter = http-get-dos
logpath = /var/log/apache2/access.log
maxretry = 1
action = iptables[name=HTTP, port=http, protocol=tcp]

[apache-nokiddies]
enabled  = true
port     = http,https
filter   = apache-nokiddies
logpath  = /var/log/apache*/*access.log
maxretry = 1

http-get-dos.conf

[Definition]
failregex = ^<HOST> -.*"(GET|POST).*
ignoreregex =

apache-nokiddies.conf

[Definition]
failregex = ^<HOST> .*"GET .*w00tw00t
# try to access to admin directory
            ^<HOST> .*"GET .*admin.* 403
            ^<HOST> .*"GET .*admin.* 404
# try to access to install directory
            ^<HOST> .*"GET .*install.* 404
# try to access to phpmyadmin
            ^<HOST> .*"GET .*dbadmin.* 404
            ^<HOST> .*"GET .*myadmin.* 404
            ^<HOST> .*"GET .*MyAdmin.* 404
            ^<HOST> .*"GET .*mysql.* 404
            ^<HOST> .*"GET .*websql.* 404
            ^<HOST> .*"GET \/pma\/.* 404
# try to access to wordpress (we use another CMS)
            ^<HOST> .*"GET .*wp-content.* 404
            ^<HOST> .*"GET .*wp-login.* 404
# try to access to typo3 (we use another CMS)
            ^<HOST> .*"GET .*typo3.* 404
# try to access to tomcat (we do not use it)      
            ^<HOST> .*"HEAD .*manager.* 404
# try to access various strange scripts and malwares
            ^<HOST> .*"HEAD .*blackcat.* 404
            ^<HOST> .*"HEAD .*sprawdza.php.* 404

ignoreregex = 

apache-livewhale

[INCLUDES]
before = common.conf

[Definition]

acunetix = response\.write\(\d+\*\d+\)|now\(\)|sysdate\(\)|sleep\(\d*\)|waitfor delay|pg_sleep\(\d*\)|';|' AND|" AND|set\|set\&set|SomeCustomInjectedHeader|;select
acunetix_invalid = /etc/|/invalid
kidc = GetSimple_2\.01|Factux|Madirish_Webmail|idioma|jevoncms|facil-cms|phpunity\.newsmanager|dloadstplates|phpdirectorgameedition|tendersystem|mariecms|microcms|micro_cms_files|vtigercrm|dnet_admin|FunGamez|kipper20|skysilver
ripe = ACGVnews|AdaptCMS_Lite_1\.4_2|BetaBlockModules|Contenido_4\.8\.4|DFF_PHP_FrameworkAPI-latest|Dir_phNNTP|DynaTracker_v151|Easysite-2\.0_path|FormTools1_5_0|Mamblog|NuclearBB|OpenSiteAdmin|PHPDJ_v05|SPIP-v1-7-2|SQuery|SazCart|WordPress_Files|advanced_comment_system|modx-0\.9\.6\.2|mxBB|olbookmarks-0\.7\.4|ossigeno-suite-2\.2_pre1|phpAdsNew-2\.0\.7|phpBB2|phpMyConferences_8\.0\.2|phpQLAdmin-2\.2\.7|phpSiteBackup-0\.1|plume-1\.1\.3|pmapper-3\.2-beta3|pmi_v28|podcastgen1\.0beta2|post_static_0-11|qsgen_0\.7\.2c
ripe_nostat = 123flashchat|BE_config|CoupleDB|MOD_forum_fields_parse|addvip|admin\.loudmouth|anzagien|auth\.sessions\.inc|b2verifauth|bb_admin|ch_readalso|cls_fast_template|ezusermanager_pwd_forgott|fcring|fonctions_racine|hioxBannerRotate|functions_user_viewed_posts|pafiledb_constants|themen_portal_mitte|usercp_register|migrateNE2toNE3|naboard_pnr|nukebrowser|php-include-robotsservices

# Option:  failregex
# Notes.:  Regexp to catch vulnerability scanners.
# Values:  TEXT
failregex = ^\[[^\]]+\] \[error\] \[client <HOST>\].*File does not exist: .*(%(acunetix)s).*$
            ^\[[^\]]+\] \[error\] \[client <HOST>\].*Invalid URI in request .*(%(acunetix_invalid)s).*$
            ^\[[^\]]+\] \[error\] \[client <HOST>\].*File does not exist: .*/(%(kidc)s)$
            ^\[[^\]]+\] \[error\] \[client <HOST>\].*File does not exist: .*/(%(ripe)s)$
            ^\[[^\]]+\] \[error\] \[client <HOST>\].*script .*/(%(ripe_nostat)s)\.php.* unable to stat$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

cron.conf

[Definition]
failregex = ^<HOST> .*POST .*wp-cron\.php.*
ignoreregex =

wordpress-hard.conf

[INCLUDES]
before = common.conf
[Definition]
_daemon = (?:wordpress|wp)
failregex = ^%(__prefix_line)sAuthentication attempt for unknown user .* from <HOST>$
            ^%(__prefix_line)sBlocked user enumeration attempt from <HOST>$
            ^%(__prefix_line)sBlocked authentication attempt for .* from <HOST>$
            ^%(__prefix_line)sPingback error .* generated from <HOST>$
            ^%(__prefix_line)sSpam comment \d+ from <HOST>$
            ^%(__prefix_line)sXML-RPC authentication attempt for unknown user .* from <HOST>$
            ^%(__prefix_line)sXML-RPC multicall authentication failure from <HOST>$
ignoreregex =

wordpress-xmlrpc.conf

[Definition]
failregex = ^<HOST> .*POST .*xmlrpc\.php.*
ignoreregex =

wordpress-login.conf

[Definition]
failregex = ^<HOST> .* "POST .*wp-login.php
ignoreregex =
Subscribe
Share

Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

> What can I do to stop wp-login.php and testproxy.php from appearing in the apache error log?

For fail2ban to work, I believe you need these items to appear in your error log. Fail2ban reads the error log, checks for these items, and then bans the offenders using iptables.

Hope this helps :)