UFW is not blocing IPs

so im working with fail2ban, ufw, and wordpress (NGINX).

I made plugin for creating 401 if someone fail to login

function wp_login_failed_403_res() {
add_action( 'wp_login_failed', 'wp_login_failed_403_res' );

Ofc fail2ban is installd UFW is activated.

Inside jail.local i have this


enabled  = true
port     = http,https
filter   = wordpress-login
logpath  = /var/www/
banaction = ufw-nginx
bantime  = 60
maxretry = 3

Inside action.d/ufw-nginx i have this

actionstart =
actionstop =
actioncheck =
actionban = ufw insert 1 deny from <ip> to any app "Nginx Full"
actionunban = ufw delete deny from <ip> to any app "Nginx Full"

Inside filter.d/wordpress-login i have this:

failregex = <HOST>.*POST.*(wp-login\.php|xmlrpc\.php).* 401
ignoreregex =

So im trying to block myself :) i’m watching logs and i can see that nginx is registrating 401 on every single failed login.

fail2ban log says this:

2017-11-21 20:23:55,906 fail2ban.filter         [10049]: INFO    [wordpress] Found
2017-11-21 20:24:50,330 fail2ban.actions        [10049]: NOTICE  [wordpress] Unban
2017-11-21 20:34:10,758 fail2ban.filter         [10049]: INFO    [wordpress] Found
2017-11-21 20:34:13,642 fail2ban.filter         [10049]: INFO    [wordpress] Found
2017-11-21 20:34:16,704 fail2ban.filter         [10049]: INFO    [wordpress] Found
2017-11-21 20:34:17,184 fail2ban.actions        [10049]: NOTICE  [wordpress] Ban
2017-11-21 20:34:19,240 fail2ban.filter         [10049]: INFO    [wordpress] Found
2017-11-21 20:34:21,789 fail2ban.filter         [10049]: INFO    [wordpress] Found
2017-11-21 20:34:25,776 fail2ban.filter         [10049]: INFO    [wordpress] Found
2017-11-21 20:34:26,508 fail2ban.actions        [10049]: NOTICE  [wordpress] already banned

UFW says this:

# ufw status                                                                              
Status: active

To                         Action      From
--                         ------      ----
Nginx Full                 DENY
OpenSSH                    DENY

I can still access and login after ban (before fail2ban unban me)

Is there somthing im missing or what?

  • Ubuntu 16.04
  • Fail2Ban v0.9.3
  • UFW 0.35
['add', 'wordpress', 'auto']
['set', 'wordpress', 'findtime', 600]
['set', 'wordpress', 'logencoding', 'auto']
['set', 'wordpress', 'maxretry', 3]
['set', 'wordpress', 'usedns', 'warn']
['set', 'wordpress', 'addignoreip', '']
['set', 'wordpress', 'addlogpath', '/var/www/', 'head']
['set', 'wordpress', 'ignorecommand', '']
['set', 'wordpress', 'bantime', 60]
['set', 'wordpress', 'addfailregex', '<HOST>.*POST.*(wp-login\\.php|xmlrpc\\.php).* 401']
['set', 'wordpress', 'addaction', 'ufw-nginx']
['set', 'wordpress', 'action', 'ufw-nginx', 'actioncheck', '']
['set', 'wordpress', 'action', 'ufw-nginx', 'actionstart', '']
['set', 'wordpress', 'action', 'ufw-nginx', 'actionstop', '']
['set', 'wordpress', 'action', 'ufw-nginx', 'actionunban', 'ufw delete deny from <ip> to any app "Nginx Full"']
['set', 'wordpress', 'action', 'ufw-nginx', 'actionban', 'ufw insert 1 deny from <ip> to any app "Nginx Full"']
['set', 'wordpress', 'action', 'ufw-nginx', 'protocol', 'tcp']
['set', 'wordpress', 'action', 'ufw-nginx', 'port', 'http,https']
['set', 'wordpress', 'action', 'ufw-nginx', 'chain', 'INPUT']
['set', 'wordpress', 'action', 'ufw-nginx', 'name', 'wordpress']
['set', 'wordpress', 'action', 'ufw-nginx', 'bantime', '60']
['set', 'wordpress', 'addaction', 'sendmail-whois-lines']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'actioncheck', '']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'actionstart', 'printf %b "Subject: [Fail2Ban] <name>: started on `uname -n`\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: <sendername> <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe jail <name> has been started successfully.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'actionstop', 'printf %b "Subject: [Fail2Ban] <name>: stopped on `uname -n`\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: <sendername> <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe jail <name> has been stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'actionunban', '']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'actionban', 'printf %b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: <sendername> <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe IP <ip> has just been banned by Fail2Ban after\n<failures> attempts against <name>.\\n\\n\nHere is more information about <ip> :\\n\n`/usr/bin/whois <ip> || echo missing whois program`\\n\\n\nLines containing IP:<ip> in <logpath>\\n\n`grep -E <grepopts> \'(^|[^0-9])<ip>([^0-9]|$)\' <logpath>`\\n\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'grepopts', '-m 1000']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'dest', '']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'sendername', 'Fail2Ban']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'chain', 'INPUT']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'name', 'wordpress']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'sender', 'fail2ban']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'known/sendername', 'Fail2Ban']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'known/dest', 'root']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'known/sender', 'fail2ban']
['set', 'wordpress', 'action', 'sendmail-whois-lines', 'logpath', '/var/www/']
['start', 'wordpress']

So sorry if im writing this on the wrong place… If that is the case just delete this (and so sorry again)

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer