so im working with fail2ban, ufw, and wordpress (NGINX).
I made plugin for creating 401 if someone fail to login
function wp_login_failed_403_res() {
status_header(403);
}
add_action( 'wp_login_failed', 'wp_login_failed_403_res' );
Ofc fail2ban is installd UFW is activated.
Inside jail.local i have this
[wordpress]
enabled = true
port = http,https
filter = wordpress-login
logpath = /var/www/site.com/logs/site_nginx.access.log
banaction = ufw-nginx
bantime = 60
maxretry = 3
Inside action.d/ufw-nginx i have this
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = ufw insert 1 deny from <ip> to any app "Nginx Full"
actionunban = ufw delete deny from <ip> to any app "Nginx Full"
Inside filter.d/wordpress-login i have this:
[Definition]
failregex = <HOST>.*POST.*(wp-login\.php|xmlrpc\.php).* 401
ignoreregex =
So im trying to block myself :) i’m watching logs and i can see that nginx is registrating 401 on every single failed login.
fail2ban log says this:
2017-11-21 20:23:55,906 fail2ban.filter [10049]: INFO [wordpress] Found ip.adress.here.xx
2017-11-21 20:24:50,330 fail2ban.actions [10049]: NOTICE [wordpress] Unban ip.adress.here.xx
2017-11-21 20:34:10,758 fail2ban.filter [10049]: INFO [wordpress] Found ip.adress.here.xx
2017-11-21 20:34:13,642 fail2ban.filter [10049]: INFO [wordpress] Found ip.adress.here.xx
2017-11-21 20:34:16,704 fail2ban.filter [10049]: INFO [wordpress] Found ip.adress.here.xx
2017-11-21 20:34:17,184 fail2ban.actions [10049]: NOTICE [wordpress] Ban ip.adress.here.xx
2017-11-21 20:34:19,240 fail2ban.filter [10049]: INFO [wordpress] Found ip.adress.here.xx
2017-11-21 20:34:21,789 fail2ban.filter [10049]: INFO [wordpress] Found ip.adress.here.xx
2017-11-21 20:34:25,776 fail2ban.filter [10049]: INFO [wordpress] Found ip.adress.here.xx
2017-11-21 20:34:26,508 fail2ban.actions [10049]: NOTICE [wordpress] ip.adress.here.xx already banned
UFW says this:
# ufw status
Status: active
To Action From
-- ------ ----
Nginx Full DENY ip.adress.here.xx
OpenSSH DENY other.ip.adress.xxx
I can still access and login after ban (before fail2ban unban me)
Is there somthing im missing or what?
- Ubuntu 16.04
- Fail2Ban v0.9.3
- UFW 0.35
['add', 'wordpress', 'auto']
['set', 'wordpress', 'findtime', 600]
['set', 'wordpress', 'logencoding', 'auto']
['set', 'wordpress', 'maxretry', 3]
['set', 'wordpress', 'usedns', 'warn']
['set', 'wordpress', 'addignoreip', '127.0.0.1/8']
['set', 'wordpress', 'addlogpath', '/var/www/site.com/logs/site_nginx.access.log', 'head']
['set', 'wordpress', 'ignorecommand', '']
['set', 'wordpress', 'bantime', 60]
['set', 'wordpress', 'addfailregex', '<HOST>.*POST.*(wp-login\\.php|xmlrpc\\.php).* 401']
['set', 'wordpress', 'addaction', 'ufw-nginx']
['set', 'wordpress', 'action', 'ufw-nginx', 'actioncheck', '']
['set', 'wordpress', 'action', 'ufw-nginx', 'actionstart', '']
['set', 'wordpress', 'action', 'ufw-nginx', 'actionstop', '']
['set', 'wordpress', 'action', 'ufw-nginx', 'actionunban', 'ufw delete deny from <ip> to any app "Nginx Full"']
['set', 'wordpress', 'action', 'ufw-nginx', 'actionban', 'ufw insert 1 deny from <ip> to any app "Nginx Full"']
['set', 'wordpress', 'action', 'ufw-nginx', 'protocol', 'tcp']
['set', 'wordpress', 'action', 'ufw-nginx', 'port', 'http,https']
['set', 'wordpress', 'action', 'ufw-nginx', 'chain', 'INPUT']
['set', 'wordpress', 'action', 'ufw-nginx', 'name', 'wordpress']
['set', 'wordpress', 'action', 'ufw-nginx', 'bantime', '60']
['set', 'wordpress', 'addaction', 'sendmail-whois-lines']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'actioncheck', '']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'actionstart', 'printf %b "Subject: [Fail2Ban] <name>: started on `uname -n`\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: <sendername> <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe jail <name> has been started successfully.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'actionstop', 'printf %b "Subject: [Fail2Ban] <name>: stopped on `uname -n`\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: <sendername> <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe jail <name> has been stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'actionunban', '']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'actionban', 'printf %b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: <sendername> <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe IP <ip> has just been banned by Fail2Ban after\n<failures> attempts against <name>.\\n\\n\nHere is more information about <ip> :\\n\n`/usr/bin/whois <ip> || echo missing whois program`\\n\\n\nLines containing IP:<ip> in <logpath>\\n\n`grep -E <grepopts> \'(^|[^0-9])<ip>([^0-9]|$)\' <logpath>`\\n\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'grepopts', '-m 1000']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'dest', 'email@site.com']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'sendername', 'Fail2Ban']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'chain', 'INPUT']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'name', 'wordpress']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'sender', 'fail2ban']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'known/sendername', 'Fail2Ban']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'known/dest', 'root']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'known/sender', 'fail2ban']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'logpath', '/var/www/site.com/logs/site_nginx.access.log']
['start', 'wordpress']
So sorry if im writing this on the wrong place… If that is the case just delete this (and so sorry again)
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Hello there,
Fail2ban seems to be doing its job. You you verify if the IP address is not whitelisted via iptables or other firewall management that will explain this behavior.
Regards
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and AI-native businesses
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.