so im working with fail2ban, ufw, and wordpress (NGINX).

I made plugin for creating 401 if someone fail to login

function wp_login_failed_403_res() {
  status_header(403);
}
add_action( 'wp_login_failed', 'wp_login_failed_403_res' );

Ofc fail2ban is installd UFW is activated.

Inside jail.local i have this

[wordpress]

enabled  = true
port     = http,https
filter   = wordpress-login
logpath  = /var/www/site.com/logs/site_nginx.access.log
banaction = ufw-nginx
bantime  = 60
maxretry = 3

Inside action.d/ufw-nginx i have this

[Definition]
actionstart =
actionstop =
actioncheck =
actionban = ufw insert 1 deny from <ip> to any app "Nginx Full"
actionunban = ufw delete deny from <ip> to any app "Nginx Full"

Inside filter.d/wordpress-login i have this:

[Definition]
failregex = <HOST>.*POST.*(wp-login\.php|xmlrpc\.php).* 401
ignoreregex =

So im trying to block myself :) i’m watching logs and i can see that nginx is registrating 401 on every single failed login.

fail2ban log says this:

2017-11-21 20:23:55,906 fail2ban.filter         [10049]: INFO    [wordpress] Found ip.adress.here.xx
2017-11-21 20:24:50,330 fail2ban.actions        [10049]: NOTICE  [wordpress] Unban ip.adress.here.xx
2017-11-21 20:34:10,758 fail2ban.filter         [10049]: INFO    [wordpress] Found ip.adress.here.xx
2017-11-21 20:34:13,642 fail2ban.filter         [10049]: INFO    [wordpress] Found ip.adress.here.xx
2017-11-21 20:34:16,704 fail2ban.filter         [10049]: INFO    [wordpress] Found ip.adress.here.xx
2017-11-21 20:34:17,184 fail2ban.actions        [10049]: NOTICE  [wordpress] Ban ip.adress.here.xx
2017-11-21 20:34:19,240 fail2ban.filter         [10049]: INFO    [wordpress] Found ip.adress.here.xx
2017-11-21 20:34:21,789 fail2ban.filter         [10049]: INFO    [wordpress] Found ip.adress.here.xx
2017-11-21 20:34:25,776 fail2ban.filter         [10049]: INFO    [wordpress] Found ip.adress.here.xx
2017-11-21 20:34:26,508 fail2ban.actions        [10049]: NOTICE  [wordpress] ip.adress.here.xx already banned

UFW says this:

# ufw status                                                                              
Status: active

To                         Action      From
--                         ------      ----
Nginx Full                 DENY        ip.adress.here.xx
OpenSSH                    DENY        other.ip.adress.xxx

I can still access and login after ban (before fail2ban unban me)

Is there somthing im missing or what?

  • Ubuntu 16.04
  • Fail2Ban v0.9.3
  • UFW 0.35
['add', 'wordpress', 'auto']
['set', 'wordpress', 'findtime', 600]
['set', 'wordpress', 'logencoding', 'auto']
['set', 'wordpress', 'maxretry', 3]
['set', 'wordpress', 'usedns', 'warn']
['set', 'wordpress', 'addignoreip', '127.0.0.1/8']
['set', 'wordpress', 'addlogpath', '/var/www/site.com/logs/site_nginx.access.log', 'head']
['set', 'wordpress', 'ignorecommand', '']
['set', 'wordpress', 'bantime', 60]
['set', 'wordpress', 'addfailregex', '<HOST>.*POST.*(wp-login\\.php|xmlrpc\\.php).* 401']
['set', 'wordpress', 'addaction', 'ufw-nginx']
['set', 'wordpress', 'action', 'ufw-nginx', 'actioncheck', '']
['set', 'wordpress', 'action', 'ufw-nginx', 'actionstart', '']
['set', 'wordpress', 'action', 'ufw-nginx', 'actionstop', '']
['set', 'wordpress', 'action', 'ufw-nginx', 'actionunban', 'ufw delete deny from <ip> to any app "Nginx Full"']
['set', 'wordpress', 'action', 'ufw-nginx', 'actionban', 'ufw insert 1 deny from <ip> to any app "Nginx Full"']
['set', 'wordpress', 'action', 'ufw-nginx', 'protocol', 'tcp']
['set', 'wordpress', 'action', 'ufw-nginx', 'port', 'http,https']
['set', 'wordpress', 'action', 'ufw-nginx', 'chain', 'INPUT']
['set', 'wordpress', 'action', 'ufw-nginx', 'name', 'wordpress']
['set', 'wordpress', 'action', 'ufw-nginx', 'bantime', '60']
['set', 'wordpress', 'addaction', 'sendmail-whois-lines']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'actioncheck', '']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'actionstart', 'printf %b "Subject: [Fail2Ban] <name>: started on `uname -n`\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: <sendername> <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe jail <name> has been started successfully.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'actionstop', 'printf %b "Subject: [Fail2Ban] <name>: stopped on `uname -n`\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: <sendername> <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe jail <name> has been stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'actionunban', '']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'actionban', 'printf %b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: <sendername> <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe IP <ip> has just been banned by Fail2Ban after\n<failures> attempts against <name>.\\n\\n\nHere is more information about <ip> :\\n\n`/usr/bin/whois <ip> || echo missing whois program`\\n\\n\nLines containing IP:<ip> in <logpath>\\n\n`grep -E <grepopts> \'(^|[^0-9])<ip>([^0-9]|$)\' <logpath>`\\n\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'grepopts', '-m 1000']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'dest', 'email@site.com']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'sendername', 'Fail2Ban']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'chain', 'INPUT']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'name', 'wordpress']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'sender', 'fail2ban']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'known/sendername', 'Fail2Ban']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'known/dest', 'root']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'known/sender', 'fail2ban']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'logpath', '/var/www/site.com/logs/site_nginx.access.log']
['start', 'wordpress']

So sorry if im writing this on the wrong place.. If that is the case just delete this (and so sorry again)

Submit an answer

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!