WP fail2ban - Version 2.1.0

Version Description

  • Add support for blocking user enumeration; see WP_FAIL2BAN_BLOCK_USER_ENUMERATION
  • Add support for CIDR notation in WP_FAIL2BAN_PROXIES.
Download this release

Release Info

Developer invisnet
Plugin Icon 128x128 WP fail2ban
Version 2.1.0
Comparing to
See all releases

Code changes from version 2.0.0 to 2.1.0

Files changed (3) hide show
  1. readme.txt +25 -4
  2. wordpress.conf +1 -0
  3. wp-fail2ban.php +30 -11
readme.txt CHANGED
@@ -5,7 +5,7 @@ Plugin URI: https://charles.lecklider.org/wordpress/wp-fail2ban/
5
  Tags: fail2ban, security, syslog, login
6
  Requires at least: 3.4.0
7
  Tested up to: 3.6
8
- Stable tag: 2.0.0
9
  License: GPLv2 or later
10
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
11
 
@@ -38,10 +38,18 @@ Requires PHP 5.3 or later.
38
 
39
  1. Reload or restart `fail2ban`
40
 
41
- You may want to set WP_FAIL2BAN_PROXIES and/or WP_FAIL2BAN_BLOCKED_USERS; see the FAQ for details.
42
 
43
  == Frequently Asked Questions ==
44
 
 
 
 
 
 
 
 
 
45
  = WP_FAIL2BAN_PROXIES - what's it all about? =
46
 
47
  The idea here is to list the IP addresses of the trusted proxies that will appear as the remote IP for the request. When defined:
@@ -52,9 +60,9 @@ The idea here is to list the IP addresses of the trusted proxies that will appea
52
 
53
  To set `WP_FAIL2BAN_PROXIES`, add something like the following to `wp-config.php`:
54
 
55
- define('WP_FAIL2BAN_PROXIES','192.168.0.42,192.168.0.43');
56
 
57
- *WPf2b* doesn't do anything clever with the list so don't add whitespace or CIDR notations.
58
 
59
  = WP_FAIL2BAN_BLOCKED_USERS - what's it all about? =
60
 
@@ -80,6 +88,13 @@ to the `[wordpress]` section in `jail.local`.
80
 
81
  == Changelog ==
82
 
 
 
 
 
 
 
 
83
  = 2.0.0 =
84
  * Add *experimental* support for X-Forwarded-For header; see `WP_FAIL2BAN_PROXIES`
85
  * Add *experimental* support for regex-based login blocking; see `WP_FAIL2BAN_BLOCKED_USERS`
@@ -98,5 +113,11 @@ to the `[wordpress]` section in `jail.local`.
98
 
99
  == Upgrade Notice ==
100
 
 
 
 
 
 
 
101
  = 2.0.0 =
102
  This is an experimental release. If your current version is working and you're not interested in the new features, skip this version - wait for 2.1.0. For those that do want to test this release, note that `wordpress.conf` has changed - you'll need to copy it to `fail2ban/filters.d` again.
5
  Tags: fail2ban, security, syslog, login
6
  Requires at least: 3.4.0
7
  Tested up to: 3.6
8
+ Stable tag: 2.1.0
9
  License: GPLv2 or later
10
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
11
 
38
 
39
  1. Reload or restart `fail2ban`
40
 
41
+ You may want to set WP_FAIL2BAN_BLOCK_USER_ENUMERATION, WP_FAIL2BAN_PROXIES and/or WP_FAIL2BAN_BLOCKED_USERS; see the FAQ for details.
42
 
43
  == Frequently Asked Questions ==
44
 
45
+ = WP_FAIL2BAN_BLOCK_USER_ENUMERATION - what's it all about? =
46
+
47
+ Brute-forcing WP requires knowing a valid username. Unfortunately, WP makes this all but trivial.
48
+
49
+ Based on a suggestion from *geeklol* and a plugin by *ROIBOT*, *WPf2b* can now block user enumeration attempts. Just add the following to `wp-config.php`:
50
+
51
+ define('WP_FAIL2BAN_BLOCK_USER_ENUMERATION',true);
52
+
53
  = WP_FAIL2BAN_PROXIES - what's it all about? =
54
 
55
  The idea here is to list the IP addresses of the trusted proxies that will appear as the remote IP for the request. When defined:
60
 
61
  To set `WP_FAIL2BAN_PROXIES`, add something like the following to `wp-config.php`:
62
 
63
+ define('WP_FAIL2BAN_PROXIES','192.168.0.42,192.168.42.0/24');
64
 
65
+ *WPf2b* doesn't do anything clever with the list - beware of typos!
66
 
67
  = WP_FAIL2BAN_BLOCKED_USERS - what's it all about? =
68
 
88
 
89
  == Changelog ==
90
 
91
+ = 2.1.0 =
92
+ * Add support for blocking user enumeration; see `WP_FAIL2BAN_BLOCK_USER_ENUMERATION`
93
+ * Add support for CIDR notation in `WP_FAIL2BAN_PROXIES`.
94
+
95
+ = 2.0.1 =
96
+ * Bugfix in *experimental* `WP_FAIL2BAN_PROXIES` code.
97
+
98
  = 2.0.0 =
99
  * Add *experimental* support for X-Forwarded-For header; see `WP_FAIL2BAN_PROXIES`
100
  * Add *experimental* support for regex-based login blocking; see `WP_FAIL2BAN_BLOCKED_USERS`
113
 
114
  == Upgrade Notice ==
115
 
116
+ = 2.1.0 =
117
+ The `wordpress.conf` filter has been updated; you will need to update your `fail2ban` configuration.
118
+
119
+ = 2.0.1 =
120
+ Bugfix in experimental code; still an experimental release.
121
+
122
  = 2.0.0 =
123
  This is an experimental release. If your current version is working and you're not interested in the new features, skip this version - wait for 2.1.0. For those that do want to test this release, note that `wordpress.conf` has changed - you'll need to copy it to `fail2ban/filters.d` again.
wordpress.conf CHANGED
@@ -23,6 +23,7 @@ _daemon = wordpress
23
  #
24
  failregex = ^%(__prefix_line)sAuthentication failure for .* from <HOST>$
25
  ^%(__prefix_line)sBlocked authentication attempt for .* from <HOST>$
 
26
 
27
  # Option: ignoreregex
28
  # Notes.: regex to ignore. If this regex matches, the line is ignored.
23
  #
24
  failregex = ^%(__prefix_line)sAuthentication failure for .* from <HOST>$
25
  ^%(__prefix_line)sBlocked authentication attempt for .* from <HOST>$
26
+ ^%(__prefix_line)sBlocked user enumeration attempt from <HOST>$
27
 
28
  # Option: ignoreregex
29
  # Notes.: regex to ignore. If this regex matches, the line is ignored.
wp-fail2ban.php CHANGED
@@ -3,7 +3,7 @@
3
  Plugin Name: WP fail2ban
4
  Plugin URI: https://charles.lecklider.org/wordpress/wp-fail2ban/
5
  Description: Write all login attempts to syslog for integration with fail2ban.
6
- Version: 2.0.0
7
  Author: Charles Lecklider
8
  Author URI: https://charles.lecklider.org/
9
  License: GPL2
@@ -44,21 +44,27 @@ function bail()
44
 
45
  function remote_addr()
46
  {
47
- $ip = $_SERVER['REMOTE_ADDR'];
48
-
49
  if (defined('WP_FAIL2BAN_PROXIES')) {
50
- if (array_key_exists($_SERVER,'HTTP_X_FORWARDED_FOR')) {
51
- if (in_array($ip, explode(',',WP_FAIL2BAN_PROXIES) )) {
52
- $ip = (false===($len = strpos($_SERVER['HTTP_X_FORWARDED_FOR'],',')))
53
- ? $_SERVER['HTTP_X_FORWARDED_FOR']
54
- : substr($_SERVER['HTTP_X_FORWARDED_FOR'],0,$len);
55
- } else {
56
- bail();
 
 
 
 
 
 
 
 
57
  }
58
  }
59
  }
60
 
61
- return $ip;
62
  }
63
 
64
  if (defined('WP_FAIL2BAN_BLOCKED_USERS')) {
@@ -74,6 +80,19 @@ if (defined('WP_FAIL2BAN_BLOCKED_USERS')) {
74
  return $user;
75
  },1,3);
76
  }
 
 
 
 
 
 
 
 
 
 
 
 
 
77
  add_action( 'wp_login',
78
  function($user_login, $user)
79
  {
3
  Plugin Name: WP fail2ban
4
  Plugin URI: https://charles.lecklider.org/wordpress/wp-fail2ban/
5
  Description: Write all login attempts to syslog for integration with fail2ban.
6
+ Version: 2.1.0
7
  Author: Charles Lecklider
8
  Author URI: https://charles.lecklider.org/
9
  License: GPL2
44
 
45
  function remote_addr()
46
  {
 
 
47
  if (defined('WP_FAIL2BAN_PROXIES')) {
48
+ if (array_key_exists('HTTP_X_FORWARDED_FOR',$_SERVER)) {
49
+ $ip = ip2long($_SERVER['REMOTE_ADDR']);
50
+ foreach(explode(',',WP_FAIL2BAN_PROXIES) as $proxy) {
51
+ if (2 == count($cidr = explode('/',$proxy))) {
52
+ $net = ip2long($cidr[0]);
53
+ $mask = ~ ( (2 ^ (32 - $cidr[1])) - 1 );
54
+ } else {
55
+ $net = ip2long($proxy);
56
+ $mask = -1;
57
+ }
58
+ if ($net == $ip & $mask) {
59
+ return (false===($len = strpos($_SERVER['HTTP_X_FORWARDED_FOR'],',')))
60
+ ? $_SERVER['HTTP_X_FORWARDED_FOR']
61
+ : substr($_SERVER['HTTP_X_FORWARDED_FOR'],0,$len);
62
+ }
63
  }
64
  }
65
  }
66
 
67
+ return $_SERVER['REMOTE_ADDR'];
68
  }
69
 
70
  if (defined('WP_FAIL2BAN_BLOCKED_USERS')) {
80
  return $user;
81
  },1,3);
82
  }
83
+ if (defined('WP_FAIL2BAN_BLOCK_USER_ENUMERATION')) {
84
+ add_filter( 'redirect_canonical',
85
+ function($redirect_url, $requested_url)
86
+ {
87
+ if (intval(@$_GET['author'])) {
88
+ openlog();
89
+ \syslog(LOG_NOTICE,'Blocked user enumeration attempt from '.remote_addr());
90
+ bail();
91
+ }
92
+
93
+ return $redirect_url;
94
+ },10,2);
95
+ }
96
  add_action( 'wp_login',
97
  function($user_login, $user)
98
  {