WP fail2ban - Version 3.0.1

Version Description

Fix regex in wordpress-hard.conf

Release Info

Developer	invisnet
Plugin	WP fail2ban
Version	3.0.1
Comparing to
See all releases

Code changes from version 3.0.0 to 3.0.1

Files changed (3) hide show

readme.txt +34 -5
wordpress-hard.conf +1 -1
wp-fail2ban.php +7 -8

readme.txt CHANGED Viewed

	@@ -5,7 +5,7 @@ Plugin URI: https://charles.lecklider.org/wordpress/wp-fail2ban/
5	Tags: fail2ban, login, security, syslog
6	Requires at least: 3.4.0
7	Tested up to: 4.4.2
8	- Stable tag: 3.0.0
9	License: GPLv2 or later
10	License URI: http://www.gnu.org/licenses/gpl-2.0.html
11
	@@ -32,7 +32,7 @@ Requires PHP 5.3 or later.
32
33	Pingbacks
34
35	- WPf2b can log all pingbacks. See `WP_FAIL2BAN_LOG_PINGBACKS` in the FAQ.
36
37	WP_FAIL2BAN_BLOCK_USER_ENUMERATION
38
	@@ -52,13 +52,20 @@ Requires PHP 5.3 or later.
52
53	1. Upload the plugin to your plugins directory
54	1. Activate the plugin through the 'Plugins' menu in WordPress
55	- 1. Copy `wordpress.conf` to your `fail2ban/filters.d` directory
56	1. Edit `jail.local` to include something like:
57	~~~
58	- [wordpress]
59	enabled = true
60	- filter = wordpress
61	logpath = /var/log/auth.log







62	~~~
63	5. Reload or restart `fail2ban`
64
	@@ -66,6 +73,22 @@ You may want to set `WP_FAIL2BAN_BLOCK_USER_ENUMERATION`, `WP_FAIL2BAN_PROXIES`
66
67	== Frequently Asked Questions ==
68
















69	= WP_FAIL2BAN_SYSLOG_SHORT_TAG – what’s it for? =
70
71	Some flavours of Linux come with a `syslogd` that can't cope with the normal message format WPf2b uses; basically, they assume that the first part of the message (the tag) won't exceed some (small) number of characters, and mangle the message if it does. This breaks the regex in the fail2ban filter and so nothing gets blocked.
	@@ -138,6 +161,9 @@ to the `[wordpress]` section in `jail.local`.
138
139	== Changelog ==
140



141	= 3.0.0 =
142	* Add `WP_FAIL2BAN_SYSLOG_SHORT_TAG`.
143	* Add `WP_FAIL2BAN_HTTP_HOST`.
	@@ -186,6 +212,9 @@ to the `[wordpress]` section in `jail.local`.
186
187	== Upgrade Notice ==
188



189	= 2.3.0 =
190	Fix for `WP_FAIL2BAN_PROXIES`; if you're not using it you can safely skip this release.
191


5	Tags: fail2ban, login, security, syslog
6	Requires at least: 3.4.0
7	Tested up to: 4.4.2
8	+ Stable tag: 3.0.1
9	License: GPLv2 or later
10	License URI: http://www.gnu.org/licenses/gpl-2.0.html
11

32
33	Pingbacks
34
35	+ WPf2b logs failed pingbacks, and can log all pingbacks. See `WP_FAIL2BAN_LOG_PINGBACKS` in the FAQ.
36
37	WP_FAIL2BAN_BLOCK_USER_ENUMERATION
38

52
53	1. Upload the plugin to your plugins directory
54	1. Activate the plugin through the 'Plugins' menu in WordPress
55	+ 1. Copy `wordpress-hard.conf` and `wordpress-soft.conf` to your `fail2ban/filters.d` directory
56	1. Edit `jail.local` to include something like:
57	~~~
58	+ [wordpress-hard]
59	enabled = true
60	+ filter = wordpress-hard
61	logpath = /var/log/auth.log
62	+ maxretry = 1
63	+
64	+ [wordpress-soft]
65	+ enabled = true
66	+ filter = wordpress-soft
67	+ logpath = /var/log/auth.log
68	+ maxretry = 3
69	~~~
70	5. Reload or restart `fail2ban`
71

73
74	== Frequently Asked Questions ==
75
76	+ = wordpress-hard.conf vs wordpress-soft.conf =
77	+
78	+ There are some things that are almost always malicious, e.g. blocked users and pingbacks with errors. `wordpress-hard.conf` is designed to catch these so that you can ban the IP immediately.
79	+
80	+ Other things are relatively benign, like a failed login. You can't let people try forever, but banning the IP immediately would be wrong too. `wordpress-soft.conf` is designed to catch these so that you can set a higher retry limit before banning the IP.
81	+
82	+ For the avoidance of doubt: you should be using both filters.
83	+
84	+ = WP_FAIL2BAN_HTTP_HOST – what’s it for? =
85	+
86	+ This is for some flavours of Linux where `WP_FAIL2BAN_SYSLOG_SHORT_TAG` isn't enough.
87	+
88	+ If you configure your web server to set an environment variable named `WP_FAIL2BAN_SYSLOG_SHORT_TAG` on a per-virtual host basis, WPf2b will use that in the syslog tag. This allows you to configure a unique tag per site in a way that makes sense for your configuration, rather than some arbitrary truncation or hashing within the plugin.
89	+
90	+ NB: This feature has not been tested as extensively as others. While I'm confident it works, FreeBSD doesn't have this problem so this feature will always be second-tier.
91	+
92	= WP_FAIL2BAN_SYSLOG_SHORT_TAG – what’s it for? =
93
94	Some flavours of Linux come with a `syslogd` that can't cope with the normal message format WPf2b uses; basically, they assume that the first part of the message (the tag) won't exceed some (small) number of characters, and mangle the message if it does. This breaks the regex in the fail2ban filter and so nothing gets blocked.

161
162	== Changelog ==
163
164	+ = 3.0.1 =
165	+ * Fix regex in `wordpress-hard.conf`
166	+
167	= 3.0.0 =
168	* Add `WP_FAIL2BAN_SYSLOG_SHORT_TAG`.
169	* Add `WP_FAIL2BAN_HTTP_HOST`.

212
213	== Upgrade Notice ==
214
215	+ = 3.0.0 =
216	+ BREAKING CHANGE: The `fail2ban` filters have been split into two files. You will need up update your `fail2ban` configuration.
217	+
218	= 2.3.0 =
219	Fix for `WP_FAIL2BAN_PROXIES`; if you're not using it you can safely skip this release.
220

wordpress-hard.conf CHANGED Viewed

	@@ -21,7 +21,7 @@ _daemon = (?:wordpress\|wp)
21	# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
22	# Values: TEXT
23	#
24	- failregex = ^%(__prefix_line)sAuthentication attempt for unknown user from <HOST>$
25	^%(__prefix_line)sBlocked authentication attempt for .* from <HOST>$
26	^%(__prefix_line)sBlocked user enumeration attempt from <HOST>$
27	^%(__prefix_line)sPingback error .* generated from <HOST>$


21	# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
22	# Values: TEXT
23	#
24	+ failregex = ^%(__prefix_line)sAuthentication attempt for unknown user .* from <HOST>$
25	^%(__prefix_line)sBlocked authentication attempt for .* from <HOST>$
26	^%(__prefix_line)sBlocked user enumeration attempt from <HOST>$
27	^%(__prefix_line)sPingback error .* generated from <HOST>$

wp-fail2ban.php CHANGED Viewed

	@@ -3,16 +3,16 @@
3	* Plugin Name: WP fail2ban
4	* Plugin URI: https://charles.lecklider.org/wordpress/wp-fail2ban/
5	* Description: Write all login attempts to syslog for integration with fail2ban.
6	- * Text Domain: wp-fail2ban
7	- * Version: 3.0.0
8	- * Author: Charles Lecklider
9	- * Author URI: https://charles.lecklider.org/
10	- * License: GPL2
11	* SPDX-License-Identifier: GPL-2.0
12	*/
13
14	/**
15	- * Copyright 2012-16 Charles Lecklider (email : wordpress@charles.lecklider.org)
16	*
17	* This program is free software; you can redistribute it and/or modify
18	* it under the terms of the GNU General Public License, version 2, as
	@@ -161,10 +161,9 @@ if (!defined('WP_FAIL2BAN')) {
161	add_filter( 'xmlrpc_pingback_error',
162	function($ixr_error)
163	{
164	- if ( $ixr_error->code ~~=== 48~~ )
165	return $ixr_error;
166	openlog();
167	\syslog(LOG_NOTICE,'Pingback error '.$ixr_error->code.' generated from '.remote_addr());
168	},5);
169	}
170	-


3	* Plugin Name: WP fail2ban
4	* Plugin URI: https://charles.lecklider.org/wordpress/wp-fail2ban/
5	* Description: Write all login attempts to syslog for integration with fail2ban.
6	+ * Text Domain: wp-fail2ban
7	+ * Version: 3.0.1
8	+ * Author: Charles Lecklider
9	+ * Author URI: https://charles.lecklider.org/
10	+ * License: GPL2
11	* SPDX-License-Identifier: GPL-2.0
12	*/
13
14	/**
15	+ * Copyright 2012-15 Charles Lecklider (email : wordpress@charles.lecklider.org)
16	*
17	* This program is free software; you can redistribute it and/or modify
18	* it under the terms of the GNU General Public License, version 2, as

161	add_filter( 'xmlrpc_pingback_error',
162	function($ixr_error)
163	{
164	+ if (48 === $ixr_error->code)
165	return $ixr_error;
166	openlog();
167	\syslog(LOG_NOTICE,'Pingback error '.$ixr_error->code.' generated from '.remote_addr());
168	},5);
169	}