在使用WordPress和WP fail2ban插件的LEMP堆栈中,WordPress身份validation问题会很好地logging到/ var / log / messages。
$ sudo fail2ban-client version 0.9.2 在过去的几天里,我在这里获得了大约25K的这些线路,来自瑞典的一些蛮力尝试:
Aug 17 10:48:58 ip-172-1-6-5 wordpress(mydomain.com)[29203]: Blocked authentication attempt for mydomain from 217.70.32.9 Aug 17 10:48:58 ip-172-1-6-5 wordpress(mydomain.com)[29204]: Blocked authentication attempt for mydomain from 217.70.32.9 Aug 17 10:48:58 ip-172-1-6-5 wordpress(mydomain.com)[29796]: Blocked authentication attempt for mydomain from 217.70.32.9 Aug 17 10:48:58 ip-172-1-6-5 wordpress(mydomain.com)[29203]: Blocked authentication attempt for mydomain from 217.70.32.9 Aug 17 10:48:58 ip-172-1-6-5 wordpress(mydomain.com)[29204]: Blocked authentication attempt for mydomain from 217.70.32.9
wordpress.conf监狱已经启用,正则expression式testing工作:
$ sudo fail2ban-regex /var/log/messages /etc/fail2ban/filter.d/wordpress.conf Failregex: 25865 total |- #) [# of hits] regular expression | 1) [180] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?wordpress(?:\(\S+\))?[\]\)]?:?|[\[\(]?wordpress(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*Authentication failure for .* from <HOST>$ | 2) [25685] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?wordpress(?:\(\S+\))?[\]\)]?:?|[\[\(]?wordpress(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*Blocked authentication attempt for .* from <HOST>$
但是,没有人被禁止。
$ sudo fail2ban-client status wordpress Status for the jail: wordpress |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- File list: /var/log/messages `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list:
确认firewalld知道这一点:
$ sudo ipset list Name: fail2ban-wordpress Type: hash:ip Revision: 1 Header: family inet hashsize 1024 maxelem 65536 timeout 3600 Size in memory: 16528 References: 1 Members:
从jail.local
bantime = 3600 findtime = 600 banaction = firewallcmd-ipset # Protect agains WP Login bruteforce attemps via # https://wordpress.org/plugins/wp-fail2ban/installation/ [wordpress] port = http,https logpath = /var/log/messages maxretry = 3 enabled = true
请注意,上面我们如何在一秒钟内重试5次,这当然会触发禁令。
在/var/log/audit/audit.log中,我没有看到有关SELinux阻止这项工作的拒绝消息,尽pipe我远离SELinux的专家。
日志工作。 正则expression式工作。 Fail2Ban运行。 监狱已启用。 Firewalld期待着事情。 但没有任何事情发生。
手动禁止它也工作:
$ sudo fail2ban-client set wordpress banip 217.70.32.9 $ sudo fail2ban-client status wordpress Status for the jail: wordpress |- Filter | |- Currently failed: 0 | |- Total failed: 3 | `- File list: /var/log/messages `- Actions |- Currently banned: 1 |- Total banned: 1 `- Banned IP list: 217.70.32.9 $ sudo ipset list Name: fail2ban-wordpress Type: hash:ip Revision: 1 Header: family inet hashsize 1024 maxelem 65536 timeout 3600 Size in memory: 16592 References: 1 Members: 217.70.32.9 timeout 3457
这似乎证实我的jail.local正在加载:
$ sudo fail2ban-client status Status |- Number of jail: 6 `- Jail list: 1, 2, 3, 4, 5, wordpress
我正在使用后端轮询,但我现在正在运行Gamin。 设置Fail2Ban的日志级别进行debugging,这似乎工作时,我错误地login自己:
2015-08-18 22:57:52,874 fail2ban.filtergamin [29664]: DEBUG File changed: /var/log/messages
正则expression式检查器不断增加其匹配。 但是,我仍然可以在2分钟内做20次而不被禁止。
我应该在哪里看下?
几个小时后,我终于明白,/ var / log / messages中的时间戳是两个小时不同步的。 当然,这对fail2ban找出findtime有影响。
$ timedatectl Local time: Tue 2015-08-18 23:50:11 CEST
在/ var / log / messages中:
Aug 18 21:50:11 ip-172-1-6-5 systemd: Started Time & Date Service.
解决:
$ sudo systemctl restart rsyslog.service
现在我的login失败login了正确的时间戳,事实上,我被禁止。