t0x
21.01.18, 21:31
Moin,
ich habe ein Problem mit flooding auf wp-login.php. Versuche dem mittels fail2ban entgegen zu wirken, jedoch erfolglos.
Filter
grep -v "^#" /etc/fail2ban/filter.d/wordpress_brute_force_filter.conf
[Definition]
failregex = ^<HOST> .* "POST .*wp-login.php
^<HOST> .* "POST .*xmlrpc.php
ignoreregex =
Jail
cat /etc/fail2ban/jail.d/wordpress_brute_force.conf
[wordpress_brute_force]
enabled = true
port = http,https
filter = wordpress_brute_force_filter
logpath = /var/log/nginx/*access.log
Die Requests
grep wp-login website_access.log | tail | awk '{ print substr($0, index($0,$4)) }'
[21/Jan/2018:22:15:44 +0100] "POST /wp-login.php HTTP/1.1" 200 3371 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
[21/Jan/2018:22:15:45 +0100] "POST /wp-login.php HTTP/1.1" 200 3371 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
[21/Jan/2018:22:15:45 +0100] "POST /wp-login.php HTTP/1.1" 200 3371 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
[21/Jan/2018:22:15:48 +0100] "POST /wp-login.php HTTP/1.1" 200 3371 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
[21/Jan/2018:22:15:49 +0100] "POST /wp-login.php HTTP/1.1" 200 3371 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
[21/Jan/2018:22:15:51 +0100] "POST /wp-login.php HTTP/1.1" 200 3371 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
[21/Jan/2018:22:15:52 +0100] "POST /wp-login.php HTTP/1.1" 200 3371 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
[21/Jan/2018:22:15:53 +0100] "POST /wp-login.php HTTP/1.1" 200 3371 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
Filter-Test
fail2ban-regex "/var/log/nginx/website_access.log" /etc/fail2ban/filter.d/wordpress_brute_force_filter.conf
Running tests
=============
Use failregex filter file : wordpress_brute_force_filter, basedir: /etc/fail2ban
Use log file : /var/log/nginx/website_access.log
Use encoding : UTF-8
Results
=======
Failregex: 39535 total
|- #) [# of hits] regular expression
| 1) [39534] ^<HOST> .* "POST .*wp-login.php
| 2) [1] ^<HOST> .* "POST .*xmlrpc.php
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [40188] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-
Lines: 40188 lines, 0 ignored, 39535 matched, 653 missed
[processed in 8.95 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 653 lines
Ich finde meinen Fehler nicht. Warum klappt es nicht?
ich habe ein Problem mit flooding auf wp-login.php. Versuche dem mittels fail2ban entgegen zu wirken, jedoch erfolglos.
Filter
grep -v "^#" /etc/fail2ban/filter.d/wordpress_brute_force_filter.conf
[Definition]
failregex = ^<HOST> .* "POST .*wp-login.php
^<HOST> .* "POST .*xmlrpc.php
ignoreregex =
Jail
cat /etc/fail2ban/jail.d/wordpress_brute_force.conf
[wordpress_brute_force]
enabled = true
port = http,https
filter = wordpress_brute_force_filter
logpath = /var/log/nginx/*access.log
Die Requests
grep wp-login website_access.log | tail | awk '{ print substr($0, index($0,$4)) }'
[21/Jan/2018:22:15:44 +0100] "POST /wp-login.php HTTP/1.1" 200 3371 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
[21/Jan/2018:22:15:45 +0100] "POST /wp-login.php HTTP/1.1" 200 3371 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
[21/Jan/2018:22:15:45 +0100] "POST /wp-login.php HTTP/1.1" 200 3371 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
[21/Jan/2018:22:15:48 +0100] "POST /wp-login.php HTTP/1.1" 200 3371 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
[21/Jan/2018:22:15:49 +0100] "POST /wp-login.php HTTP/1.1" 200 3371 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
[21/Jan/2018:22:15:51 +0100] "POST /wp-login.php HTTP/1.1" 200 3371 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
[21/Jan/2018:22:15:52 +0100] "POST /wp-login.php HTTP/1.1" 200 3371 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
[21/Jan/2018:22:15:53 +0100] "POST /wp-login.php HTTP/1.1" 200 3371 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"
Filter-Test
fail2ban-regex "/var/log/nginx/website_access.log" /etc/fail2ban/filter.d/wordpress_brute_force_filter.conf
Running tests
=============
Use failregex filter file : wordpress_brute_force_filter, basedir: /etc/fail2ban
Use log file : /var/log/nginx/website_access.log
Use encoding : UTF-8
Results
=======
Failregex: 39535 total
|- #) [# of hits] regular expression
| 1) [39534] ^<HOST> .* "POST .*wp-login.php
| 2) [1] ^<HOST> .* "POST .*xmlrpc.php
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [40188] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-
Lines: 40188 lines, 0 ignored, 39535 matched, 653 missed
[processed in 8.95 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 653 lines
Ich finde meinen Fehler nicht. Warum klappt es nicht?