bruno
By:
bruno

UFW is not blocing IPs

November 21, 2017 112 views
Firewall Networking Ubuntu 16.04

so im working with fail2ban, ufw, and wordpress (NGINX).

I made plugin for creating 401 if someone fail to login

function wp_login_failed_403_res() {
  status_header(403);
}
add_action( 'wp_login_failed', 'wp_login_failed_403_res' );

Ofc fail2ban is installd UFW is activated.

Inside jail.local i have this

[wordpress]

enabled  = true
port     = http,https
filter   = wordpress-login
logpath  = /var/www/site.com/logs/site_nginx.access.log
banaction = ufw-nginx
bantime  = 60
maxretry = 3

Inside action.d/ufw-nginx i have this

[Definition]
actionstart =
actionstop =
actioncheck =
actionban = ufw insert 1 deny from <ip> to any app "Nginx Full"
actionunban = ufw delete deny from <ip> to any app "Nginx Full"

Inside filter.d/wordpress-login i have this:

[Definition]
failregex = <HOST>.*POST.*(wp-login\.php|xmlrpc\.php).* 401
ignoreregex =

So im trying to block myself :) i'm watching logs and i can see that nginx is registrating 401 on every single failed login.

fail2ban log says this:

2017-11-21 20:23:55,906 fail2ban.filter         [10049]: INFO    [wordpress] Found ip.adress.here.xx
2017-11-21 20:24:50,330 fail2ban.actions        [10049]: NOTICE  [wordpress] Unban ip.adress.here.xx
2017-11-21 20:34:10,758 fail2ban.filter         [10049]: INFO    [wordpress] Found ip.adress.here.xx
2017-11-21 20:34:13,642 fail2ban.filter         [10049]: INFO    [wordpress] Found ip.adress.here.xx
2017-11-21 20:34:16,704 fail2ban.filter         [10049]: INFO    [wordpress] Found ip.adress.here.xx
2017-11-21 20:34:17,184 fail2ban.actions        [10049]: NOTICE  [wordpress] Ban ip.adress.here.xx
2017-11-21 20:34:19,240 fail2ban.filter         [10049]: INFO    [wordpress] Found ip.adress.here.xx
2017-11-21 20:34:21,789 fail2ban.filter         [10049]: INFO    [wordpress] Found ip.adress.here.xx
2017-11-21 20:34:25,776 fail2ban.filter         [10049]: INFO    [wordpress] Found ip.adress.here.xx
2017-11-21 20:34:26,508 fail2ban.actions        [10049]: NOTICE  [wordpress] ip.adress.here.xx already banned

UFW says this:

# ufw status                                                                              
Status: active

To                         Action      From
--                         ------      ----
Nginx Full                 DENY        ip.adress.here.xx
OpenSSH                    DENY        other.ip.adress.xxx

I can still access and login after ban (before fail2ban unban me)

Is there somthing im missing or what?

  • Ubuntu 16.04
  • Fail2Ban v0.9.3
  • UFW 0.35
['add', 'wordpress', 'auto']
['set', 'wordpress', 'findtime', 600]
['set', 'wordpress', 'logencoding', 'auto']
['set', 'wordpress', 'maxretry', 3]
['set', 'wordpress', 'usedns', 'warn']
['set', 'wordpress', 'addignoreip', '127.0.0.1/8']
['set', 'wordpress', 'addlogpath', '/var/www/site.com/logs/site_nginx.access.log', 'head']
['set', 'wordpress', 'ignorecommand', '']
['set', 'wordpress', 'bantime', 60]
['set', 'wordpress', 'addfailregex', '<HOST>.*POST.*(wp-login\\.php|xmlrpc\\.php).* 401']
['set', 'wordpress', 'addaction', 'ufw-nginx']
['set', 'wordpress', 'action', 'ufw-nginx', 'actioncheck', '']
['set', 'wordpress', 'action', 'ufw-nginx', 'actionstart', '']
['set', 'wordpress', 'action', 'ufw-nginx', 'actionstop', '']
['set', 'wordpress', 'action', 'ufw-nginx', 'actionunban', 'ufw delete deny from <ip> to any app "Nginx Full"']
['set', 'wordpress', 'action', 'ufw-nginx', 'actionban', 'ufw insert 1 deny from <ip> to any app "Nginx Full"']
['set', 'wordpress', 'action', 'ufw-nginx', 'protocol', 'tcp']
['set', 'wordpress', 'action', 'ufw-nginx', 'port', 'http,https']
['set', 'wordpress', 'action', 'ufw-nginx', 'chain', 'INPUT']
['set', 'wordpress', 'action', 'ufw-nginx', 'name', 'wordpress']
['set', 'wordpress', 'action', 'ufw-nginx', 'bantime', '60']
['set', 'wordpress', 'addaction', 'sendmail-whois-lines']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'actioncheck', '']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'actionstart', 'printf %b "Subject: [Fail2Ban] <name>: started on `uname -n`\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: <sendername> <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe jail <name> has been started successfully.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'actionstop', 'printf %b "Subject: [Fail2Ban] <name>: stopped on `uname -n`\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: <sendername> <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe jail <name> has been stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'actionunban', '']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'actionban', 'printf %b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: <sendername> <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe IP <ip> has just been banned by Fail2Ban after\n<failures> attempts against <name>.\\n\\n\nHere is more information about <ip> :\\n\n`/usr/bin/whois <ip> || echo missing whois program`\\n\\n\nLines containing IP:<ip> in <logpath>\\n\n`grep -E <grepopts> \'(^|[^0-9])<ip>([^0-9]|$)\' <logpath>`\\n\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'grepopts', '-m 1000']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'dest', 'email@site.com']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'sendername', 'Fail2Ban']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'chain', 'INPUT']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'name', 'wordpress']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'sender', 'fail2ban']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'known/sendername', 'Fail2Ban']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'known/dest', 'root']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'known/sender', 'fail2ban']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'logpath', '/var/www/site.com/logs/site_nginx.access.log']
['start', 'wordpress']

So sorry if im writing this on the wrong place.. If that is the case just delete this (and so sorry again)

Be the first one to answer this question.