When parsing log file with command:
fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/apache-wp-login.conf
CPU rises to 100% usage until I kill the process. I made a quick fix - workaround with redirecting needed content from access.log to another log file.My setup is as follows:
OS: Ubuntu Server 12.04 LTS
Fail2ban: 0.8.6-3wheezy2build0.12.04.1
Python: 2.7.3-0ubuntu2.2
Fail2ban configuration:
/etc/fail2ban/fail2ban.conf
We add new entry for Wordpress# Fail2Ban configuration file## Author: Cyril Jaquier## $Revision$#[Definition]# Option: loglevel# Notes.: Set the log level output.# 1 = ERROR# 2 = WARN# 3 = INFO# 4 = DEBUG# Values: NUM Default: 3#loglevel = 4# Option: logtarget# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.# Only one log target can be specified.# Values: STDOUT STDERR SYSLOG file Default: /var/log/fail2ban.log#logtarget = /var/log/fail2ban.log# Option: socket# Notes.: Set the socket file. This is used to communicate with the daemon. Do# not remove this file when Fail2ban runs. It will not be possible to# communicate with the server afterwards.# Values: FILE Default: /var/run/fail2ban/fail2ban.sock#socket = /var/run/fail2ban/fail2ban.sock
Add configuration to /etc/fail2ban/jail.conf
Now me make new filter for Wordpress. Some servers logs are in different format so we have to make different regex entries. These are two most common configurations:[apache-wp-login]enabled = trueport = http,httpsfilter = apache-wp-loginlogpath = /var/log/apache2/apache-wp-login.logmaxretry = 3findtime = 60
Log format example 1:
www.domain.si:80 188.65.115.90 - - [08/Nov/2013:13:20:46 +0100] "POST /en/wp-login.php HTTP/1.1" 200 1784 "http://www.domain.si/en/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1623.0 Safari/537.36"
Log format example 2:
89.222.15.152 - - [08/Nov/2013:13:40:12 +0000] "POST /wp-login.php HTTP/1.1" 200 1756 "http://domain.wordpress.com/wp-login.php" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0"
Create /etc/fail2ban/filter.d/apache-wp-login.confFor log format example 1 use:
ATTENTION! Don't apply this filter to default access.log, it would block all POST request, not only Wordpress. Only use it with modified log file we will create bellow.[Definition]failregex = ^[^\:]+\:80 <HOST> .* "POSTignoreregex =
For log format example 2 use:
failregex = <HOST>.*] "POST /wp-login.php
ATTENTION! Don't apply this filter to log format example 1, it would block your own server, because <HOST> regex would match your domain (www.domain.si).Now we create new log file for parsing (/var/log/apache2/apache-wp-login.log). We only want to filter out POST requests for wp-login.php and write them to new log file called apache-wp-login.log.
tail --follow=name /var/log/apache2/access.log | grep --line-buffered wp-login.php > /var/log/apache2/apache-wp-login.log &
Add this command to /etc/rc.local so it would run at reboot:
#!/bin/sh -e # # rc.local # # This script is executed at the end of each multiuser runlevel. # Make sure that the script will "exit 0" on success or any other # value on error. # # In order to enable or disable this script just change the execution # bits. # # By default this script does nothing. # Fail2ban Wordpress Login tail -f /var/log/apache2/access.log | grep --line-buffered wp-login.php > /var/log/apache2/apache-wp-login.log & exit 0
Restart Fail2ban and you're done.
/etc/init.d/fail2ban restart
