Hey list,
First, thanks for fail2ban, using it on OpenBSD and Ubuntu, big fan!
Second, I recently setup fail2ban for Wordpress on Ubuntu 14.04.2 LTS and
had some difficulty with the regex with version 0.9.1.
The Wordpress error logging on Ubuntu for failed logins looks like:
```
[Wed Feb 25 21:23:47.673043 2015] [:error] [pid 3221] [client
24.114.77.211:34566] WP login failed for username: admin, referer:
http://DOMAIN/wp-login.php
```
The regular expression of '(?:::f{4,6}:)?(?P<host>\S+)' did not match
correctly, my work around was to replace '<HOST>' with '?(?P<host>\S+):\d+'
which does work.
Does this make sense? Can I configure Apache to output a log that will
match <HOST>? Has anyone else run into this issue?
Details below, thanks,
Gord.
Install and Config:
- Downloaded 0.9.1.tar.gz from
https://github.com/fail2ban/fail2ban/archive/0.9.1.tar.gz and installed.
- Created a new function in Wordpress to log login failures:
```
vi /var/www/wordpress/wp-content/themes/gt/functions.php
```
```
add_action('wp_login_failed', 'log_wp_login_fail');
function log_wp_login_fail($username) {
error_log("WP login failed for username: $username");
}
```
- Tested, the output looks like:
```
[Wed Feb 25 21:23:47.673043 2015] [:error] [pid 3221] [client
24.114.77.211:34566] WP login failed for username: admin, referer:
http://DOMAIN/wp-login.php
```
- Created file `/etc/fail2ban/filter.d/apache-wp-login-failed.conf` to
filter on the error message (based on internet searches and examples),
originally looked like:
```
[Definition]
failregex = .*<HOST>\] WP login failed.*
ignoreregex =
```
Analysis:
This resulted in matching the last digit in the port and adding it to a
`0.0.0.` ip.
eg '[client 24.114.77.211:34566]' became '0.0.0.6'
Did not match ip correctly, confirmed result using `fail2ban-regex` and
https://regex101.com/
For https://regex101.com/ :
REGULAR EXPRESSION:
.*\[:error\] \[pid.*\] \[.*(?:::f{4,6}:)?(?P<host>\S+)\] WP login failed.*
TEST STRING:
[:error] [pid 3221] [client 24.114.77.211:34566] WP login failed for
username: admin, referer: http://DOMAIN/wp-login.php
MATCH INFORMATION:
MATCH 1, [46-47] `6`
Solution:
Changed the regex to replace the <HOST> alias with '?(?P<host>\S+):\d+',
filter became:
```
[Definition]
failregex = .*\[:error\] \[pid.*\] \[client .*?(?P<host>\S+):\d+\] WP login
failed.*
ignoreregex =
```
Matches ip name correctly, confirmed result using `fail2ban-regex` and
https://regex101.com/
For https://regex101.com/ :
REGULAR EXPRESSION:
.*\[:error\] \[pid.*\] \[client .*?(?P<host>\S+):\d+\] WP login failed.*
TEST STRING:
[:error] [pid 3221] [client 24.114.77.211:34566] WP login failed for
username: admin, referer: http://DOMAIN/wp-login.php
MATCH INFORMATION:
MATCH 1, [28-41] `24.114.77.211`
Software Versions:
apt-show-versions apache2
apache2:amd64/trusty-security 2.4.7-1ubuntu4.1 uptodate
apt-show-versions python
python:amd64/trusty 2.7.5-5ubuntu3 uptodate
python --version
Python 2.7.6
cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.2 LTS"
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
