wp-login & fail2ban

dimanche 21 janvier 2018

Moin,

ich habe ein Problem mit flooding auf wp-login.php. Versuche dem mittels fail2ban entgegen zu wirken, jedoch erfolglos.

Filter
Code:

grep -v "^#" /etc/fail2ban/filter.d/wordpress_brute_force_filter.conf

[Definition]

failregex = ^<HOST> .* "POST .*wp-login.php
            ^<HOST> .* "POST .*xmlrpc.php

ignoreregex =

Jail
Code:

cat /etc/fail2ban/jail.d/wordpress_brute_force.conf
[wordpress_brute_force]
enabled = true
port = http,https
filter = wordpress_brute_force_filter
logpath = /var/log/nginx/*access.log

Die Requests
Code:

grep wp-login website_access.log | tail | awk '{ print substr($0, index($0,$4)) }'
[21/Jan/2018:22:15:44 +0100] "POST /wp-login.php HTTP/1.1" 200 3371 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
[21/Jan/2018:22:15:45 +0100] "POST /wp-login.php HTTP/1.1" 200 3371 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
[21/Jan/2018:22:15:45 +0100] "POST /wp-login.php HTTP/1.1" 200 3371 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
[21/Jan/2018:22:15:48 +0100] "POST /wp-login.php HTTP/1.1" 200 3371 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
[21/Jan/2018:22:15:49 +0100] "POST /wp-login.php HTTP/1.1" 200 3371 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
[21/Jan/2018:22:15:51 +0100] "POST /wp-login.php HTTP/1.1" 200 3371 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
[21/Jan/2018:22:15:52 +0100] "POST /wp-login.php HTTP/1.1" 200 3371 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
[21/Jan/2018:22:15:53 +0100] "POST /wp-login.php HTTP/1.1" 200 3371 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"

Filter-Test
Code:

fail2ban-regex "/var/log/nginx/website_access.log" /etc/fail2ban/filter.d/wordpress_brute_force_filter.conf

Running tests
=============

Use  failregex filter file : wordpress_brute_force_filter, basedir: /etc/fail2ban
Use        log file : /var/log/nginx/website_access.log
Use        encoding : UTF-8

Results
=======

Failregex: 39535 total
|-  #) [# of hits] regular expression
|  1) [39534] ^<HOST> .* "POST .*wp-login.php
|  2) [1] ^<HOST> .* "POST .*xmlrpc.php
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [40188] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-

Lines: 40188 lines, 0 ignored, 39535 matched, 653 missed
[processed in 8.95 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 653 lines

Ich finde meinen Fehler nicht. Warum klappt es nicht?


0 commentaires:

Enregistrer un commentaire

 

Lorem

Ipsum

Dolor