the fail2ban part itself seems to not work in a wp-mu setup

[lemmy04]

I have the wp-failtoban-redux plugin installed in a multisite wordpress. The logging part works just fine, but fail2ban is not picking up anything...

the only changes i've made on the fail2ban side is to reduce the number of failed attempts to 1 respective 3, and here's a bit from /var/log/messages (yes I have changed the wordpress.conf file to point at /var/log/messages):

2020-12-24T15:08:07.102643+01:00 nextcloud wp(hanaya.eregion.de)[30520]: Authentication failure for admin from 102.186.99.203 2020-12-24T20:24:36.130203+01:00 nextcloud wp(eregion.de)[32200]: XML-RPC authentication failure from 178.128.68.121

[thebrandonallen]

This could be anything really, but off the top of my head, after adding the config file, did you remember to restart Fail2Ban. This is needed for Fail2Ban to initialize with the new jail config? Also, did you add the filters? If you've added the jail file and the filters, did you add them in the correct location?

You can use something like this to see what jails are loaded fail2ban-client status.

[lemmy04]

I have the filters in place, and fail2ban has been restarted any number of times by now, but still the status shows 0 failures and 0 bans for both wordpress-hard and wordpress-soft...

my uneducated guess is the filters, since the status shows 0 fails, but in the log I see them - could it be the multisite: my logs have lines like this: 2021-01-05T04:47:50.558487+01:00 nextcloud wp(hanaya.eregion.de)[1799]: Authentication failure for admin from 2a02:4780:1:10::b 2021-01-05T04:47:52.002331+01:00 nextcloud wp(hanaya.eregion.de)[2445]: XML-RPC authentication failure from 2a02:4780:1:10::b 2021-01-05T06:00:04.518723+01:00 nextcloud wp(eregion.de)[1784]: Authentication attempt for unknown user [login] from 148.72.211.177 2021-01-05T06:00:05.759153+01:00 nextcloud wp(eregion.de)[1784]: XML-RPC authentication failure from 148.72.211.177 2021-01-05T06:13:44.178659+01:00 nextcloud wp(eregion.de)[1784]: Authentication failure for admin from 2604:2dc0:100:248::8484 2021-01-05T06:13:47.495552+01:00 nextcloud wp(eregion.de)[30991]: XML-RPC authentication failure from 2604:2dc0:100:248::8484 2021-01-05T06:23:31.661182+01:00 nextcloud wp(eregion.de)[16677]: Authentication failure for admin from 2a02:4780:8:a::17 2021-01-05T06:23:32.947043+01:00 nextcloud wp(eregion.de)[12252]: XML-RPC authentication failure from 2a02:4780:8:a::17 2021-01-05T07:08:48.027533+01:00 nextcloud wp(eregion.de)[22170]: Authentication failure for admin from 2001:41d0:800:1548::9696 2021-01-05T07:08:49.328339+01:00 nextcloud wp(eregion.de)[22177]: Authentication attempt for unknown user [login] from 2001:41d0:800:1548::9696 2021-01-05T07:08:49.795048+01:00 nextcloud wp(eregion.de)[22177]: XML-RPC authentication failure from 2001:41d0:800:1548::9696

what I'm wondering about is the wp(blogname)[pid] part, maybe that is breaking the filter?

[thebrandonallen]

The plugin is sending items to the log, and the filters provided in the plugin are generic, so they will work no matter what domain exists in wp(domain). To me, this sounds like an issue with your firewall. Either you don't have a firewall running, so Fail2Ban can't actually ban an IP, or your firewall isn't set up correctly. Once WP Fail2Ban Redux writes to the log, there's no other work for the plugin, which means the issue is at a lower level.

[lemmy04]

my firewall is up and running, and everything else I do with fail2ban works just fine... I'm using the fail2ban jail that is part of the plugin docs, maybe there is something wrong with the regex or something?

[lemmy04]

just a guess: the daemon name in the filters is "wp" - but on my wp multisite the daemon name in /var/log/messages is wp(blogname), could that be the reason why fail2ban doesn't trigger?

[thebrandonallen]

The regex is fine. The log items you're seeing are standard. Below is an example log item from a working Fail2Ban install I manage (using {{}} placeholders for privacy):

Aug  1 08:26:32 {{HOST}} wp({{DOMAIN}})[23052]: Authentication attempt for unknown user test from {{IP_ADDRESS}}

When you run fail2ban-client status do you see wordpress-hard and wordpress-soft listed?

This is an issue with your setup, but I don't know your setup, so I can only give you things to check. Check that you have all the filters and jail files in the correct locations. Make sure your setup is using the correct backend.

You can play with some regex tests for /var/log/messages by following this guide: https://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Testing