• Dear Pleskians! The Plesk Forum will be undergoing scheduled maintenance on Monday, 7th of July, at 9:00 AM UTC. The expected maintenance window is 2 hours.
    Thank you in advance for your patience and understanding on the matter.

Resolved fail2ban and Magento

K

kojot

Regular Pleskian
Hi,
I searched if someone write about this here on the forum, but I did not found.

I found magento guide how to set it, and I did it.
I mistaken password 5 times, but did not banned.

This is jail
Code: 
[magento]
enabled = true
filter = magento
action = iptables-allports[chain="INPUT", name="default", port="ssh", protocol="tcp", blocktype="REJECT --reject-with icmp-port-unreachable"]
sendmail[dest="ceman@gmail.com", sender="fail2ban", sendername="Fail2Ban", name="default"]
logpath = /var/www/vhosts/*/logs/access_*log
maxretry = 2

and this is filter
Code: 
[Definition]
# Use this for "soft" bad behaviour, as the source will only be banned after multiple retries.
failregex = ^<HOST> .+"POST \S+(/downloader/|/downloader/index.php\?A=loggedin|/admin/index/|/admin/)\s
ignoreregex =

I also tried with
Code: 
[Definition]
# Use this for "soft" bad behaviour, as the source will only be banned after multiple retries.
failregex = ^<HOST> .+"POST \S+wp-login.php
            ^<HOST> .+"(POST|GET) \S+/etc/passwd
            ^<HOST> .+"POST \S+(/downloader/|/downloader/index.php\?A=loggedin|/admin/index/|/admin/)\s
ignoreregex =

and I append something similar with WP jail, just like this because I found it in the access logs
Code: 
^<HOST> .* "POST .*/admin HTTP/.*" 200
but again without success.

in the fail2ban logs, I see that fail2ban added those logs that I need, and I saw that fail2ban was restarted, but I was not banned.
 
Hi,
again I'm speaking with myself :).

I fixed it, but for now I don't know how.
I just edited two things.

I added 2 more log file paths so jail is now
Code: 
[magento]
enabled = true
filter = magento
action = iptables-allports[chain="INPUT", name="default", port="ssh", protocol="tcp", blocktype="REJECT --reject-with icmp-port-unreachable"]
sendmail[dest="ceman@gmail.com", sender="fail2ban", sendername="Fail2Ban", name="default"]
logpath = /var/www/vhosts/*/logs/access_*log
/var/www/vhosts/system/*/logs/*access*log
/var/log/apache2/*access.log
maxretry = 3

And I edited filter.
Now is
Code: 
[Definition]
failregex = ^<HOST> .+"POST \S+wp-login.php
    ^<HOST> .+"(POST|GET) \S+/etc/passwd
    ^<HOST> .+"POST \S+(/downloader/|/downloader/index.php\?A=loggedin|/admin/index/|/admin/)\s
    ^<HOST>.* "POST .*/admin HTTP/.*" 200
ignoreregex =

I edited that third filter, deleted space between HOST and ".". I don't know if it is works now because that, because I could not test.
Because every fail2ban changes, I was impatient to wait 20 minutes, and tried to test login. And i was able to miss 10 times password without ban.
And after 20 minutes, when fail2ban was read the logs, it banned that IP.
Maybe because one our sites have from this morning until now, more then 250000 records. It need time to read it...

So, now it works. Later if I find time, I'll try to delete paths, and edit filter, just to see if it still works.
 
You must log in or register to reply here.

Similar threads

wakabayashi
Resolved Fail2Ban - Postfix not working for SASL (bug?)
Replies
4
Views
2K
mizar
mizar
J
fail2ban: plesk-wordpress jail is to restrictive
Replies
1
Views
6K
Kaspar@Plesk
Kaspar@Plesk
P
Input plesk fail2ban missing some important filter rules
Replies
2
Views
2K
PeterKi
P
andreios
Issue Fail2ban WordPress login detection doesn't work and fail2ban couldn't be configured trough Plesk
Replies
2
Views
1K
andreios
andreios
Bitpalast
Forwarded to devs Update to 18.0.63 #4 removed /etc/fail2ban/jail.local, crashed Fail2Ban
Replies
3
Views
2K
Sebahat.hadzhi
Sebahat.hadzhi
Back
Top