Koozali.org: home of the SME Server
Contribs.org Forums => General Discussion => Topic started by: holck on June 02, 2018, 11:24:24 AM
-
I run a website with Wordpress (wordpress-4.9.5-1.el6.noarch) and fail2ban (fail2ban-0.9.6-1.el6.1.noarch). I also downloaded and installed the fail2ban plugin from Wordpress (https://wordpress.org/plugins/wp-fail2ban/).
Yesterday, I experienced this attack:
Jun 1 15:19:14 myserver wordpress(mysite.dk)[18091]: XML-RPC authentication failure for myuser from 119.29.82.97
The attack lasted for half an hour, with a total of 882 attempts. It should have been caught by the wordpress-soft.conf filter in /etc/fail2ban/filter.d/, but obviously wasn't.
The filter's regex was:
failregex = ^%(__prefix_line)sAuthentication failure for .* from <HOST>$
^%(__prefix_line)sXML-RPC authentication failure from <HOST>$
I now have added an extra line:
failregex = ^%(__prefix_line)sAuthentication failure for .* from <HOST>$
^%(__prefix_line)sXML-RPC authentication failure for .* from <HOST>$
^%(__prefix_line)sXML-RPC authentication failure from <HOST>$
I guess this is not a bug in SME-server, but just want to provide the info.
-
Indeed... sounds like a bug in their plugin. Clearly F2B will ban if the rule is correct.
Suggest you report it to the plugin writer.
Guess you could open a bug on the tracker as a reference.
-
I have this for a few years + plus fail2ban plugin installed in wordpress.
failregex = ^%(__prefix_line)sAuthentication failure for .* from <HOST>$
^%(__prefix_line)sAuthentication attempt for unknown user .* from <HOST>$
^%(__prefix_line)sBlocked user enumeration attempt from <HOST>$
^%(__prefix_line)sBlocked authentication attempt for .* from <HOST>$
^%(__prefix_line)sPingback error .* generated from <HOST>$
^%(__prefix_line)sSpam comment \d+ from <HOST>$
^%(__prefix_line)sXML-RPC authentication attempt for unknown user .* from <HOST>$
^%(__prefix_line)sXML-RPC multicall authentication failure from <HOST>$