I have the wp-failtoban-redux plugin installed in a multisite wordpress. The logging part works just fine, but fail2ban is not picking up anything...

the only changes i've made on the fail2ban side is to reduce the number of failed attempts to 1 respective 3, and here's a bit from /var/log/messages (yes I have changed the wordpress.conf file to point at /var/log/messages):

2020-12-24T15:08:07.102643+01:00 nextcloud wp(hanaya.eregion.de)[30520]: Authentication failure for admin from 102.186.99.203
2020-12-24T20:24:36.130203+01:00 nextcloud wp(eregion.de)[32200]: XML-RPC authentication failure from 178.128.68.121

This plugin is a good candidate for a plugin that shouldn't be deactivated, or, at least, easily deactivated by a client messing around with their site.

Support should be added to make it fairly easy to drop the main plugin file, the related includes directory, and 💥. WP Fail2ban Redux is up and running as a must-use plugin.

See https://wordpress.org/support/topic/does-your-plugin-also-work-from-the-mu-plugins-directory/

I noticed fail2ban was not banning entries like:

XML-RPC multicall authentication failure from 1.2.3.4

When I looked at the regex in wordpress-hard.conf, I see:

^%(__prefix_line)sXML-RPC multicall authentication failure <HOST>$

What appears to work for me is:

^%(__prefix_line)sXML-RPC multicall authentication failure from <HOST>$

would be nice to have better WP integration with a settings panel etc

php exec() an call iptables and ban a specific IP address and stuffing the bans into the database seems like a good idea

i'm not (yet) using this plugin, but stumbled onto your repo in researching an issue i just posted for the original wp-fail2ban plugin. quickly looking at your code, i think it should have the same issue, so you might want to take a look at: https://wordpress.org/support/topic/false-positive-on-user-enumeration?replies=1

i'm not sure this is the best solution, but off the top of my head, i think that in the function starting around line 140 in /classes/class-wp-fail2ban-redux.php if you check for logged in users and exempted them from the block it would be an improvement.

WP Fail2Ban Redux 0.4.0
WordPress 4.9.8

With WP Fail2Ban Redux enabled the following warning is logged on every request:
PHP Warning: call_user_func_array() expects parameter 1 to be a valid callback, function '_return_true' not found or invalid function name in www/wordpress/wp-includes/class-wp-hook.php on line 286

https://stackoverflow.com/a/14985633
https://stackoverflow.com/a/38298029
https://core.trac.wordpress.org/ticket/9235#comment:39

I don't see any documentation for enabling the optional filters.

Systemd (long may it and its developer burn in hell) has come along and replaced all the sane and logical system-logging solutions we all used to love and adore. With that now being a fait accompli, we are all suffering as we try and learn how to use the incomprehensible behemoth that is systemd.
It would be nice/convenient/useful to have two options available for the provided wordpress.jail configuration file, one for wise systems that still use syslog-ng/rsyslog/etc, and one for the now more brain-dead systems with systemd. (Yes, I loath systemd with a fiery burning passion)

So far I've been able to adjust the jail config file to recognise the systemd backend, but have not been able to write and test the journalmatch entry to catch the php-generated auth messages from this plugin.

This seems to be a mostly-functional method of re-discovering /var/log/auth.log :

journalctl -q SYSLOG_FACILITY=10 SYSLOG_FACILITY=4

and from my brief poking at it with grep, it looks like we only need facility=4.
I've managed to get this far:
/etc/fail2ban/jail.d/wordpress.conf
backend = systemd
journalmatch = _SYSLOG_FACILITY=4

The provided filters (soft and hard) do catch authentication failures - yay! but I've not yet found a way to wrap this information into something I can properly test with fail2ban-regex. I could just wait and see if these users turn up in the jails, but I'd like a more concrete way of validating the config. The doco for 'fail2ban-regex systemd-journal' is again, abyss-like in its absence.
I'm seeing singular authentication attempts from IP addresses, but not multiple attempts, so they've possibly not met the jailing requirements yet.

I'm hoping that you've been able to install and configure this module within a systemd-disabled system, and thus can share your working configuration files?

what are we supposed to use for systemd systems that dont have/use
logpath = /var/log/auth.log ??

I have tried the following, but it doesnt seem to work..

[wordpress-hard]
enabled = true
filter = wordpress-hard
logpath  = systemd[journalflags=1]
maxretry = 2
port = http,https

[wordpress-soft]
enabled = true
filter = wordpress-soft
logpath  = systemd[journalflags=1]
maxretry = 5
port = http,https

-db

I created a custom plugin with the following add_filter entries:

add_filter( 'wp_fail2ban_redux_block_user_enumeration', '_return_true' );
add_filter( 'wp_fail2ban_redux_log_pingbacks', '_return_true' );
add_filter( 'wp_fail2ban_redux_log_spam_comments', '_return_true' );

And now I'm seeing hundreds of these entries in my debug.log:

[27-Sep-2017 06:07:07 UTC] PHP Warning: call_user_func_array() expects parameter 1 to be a valid callback, function '_return_true' not found or invalid function name in /var/www/mysite.com/wp-includes/class-wp-hook.php on line 298

/var/log/auth.log is empty, ideas? Had the same issue with the original plugin and now your version.

Hello @thebrandonallen

Here are my continuously developed two classes in https://github.com/szepeviktor/waf4wordpress

You may pick some of the 60+ checks.
And I pick some of yours :)

The changelog entry for 0.6.0 is missing. There is no way to tell what the changes are from the WordPress update methods. The previous version required server changes so it would be good to know if this version needs server adjustments or not.

For some reason just hitting the wp-login.php page is triggering the wp_login_failed action. So visiting the page and then having 1 failed login attempt can trigger a jail.

Oct 13 12:24:56 usr wp(wpsite.com)[12345]: Authentication attempt for unknown user  from 1.2.3.4
Oct 13 12:24:56 usr wp(wpsite.com)[12345]: Authentication attempt for unknown user [email protected] from 1.2.3.4
Oct 13 12:24:56 usr wp(wpsite.com)[12345]:  INFO [wordpress-hard] Found 1.2.3.4
Oct 13 12:24:56 usr wp(wpsite.com)[12345]:  NOTICE [wordpress-hard] Ban 1.2.3.4

In cases where wp_login_failed is triggered, but no username exists ( caused when triggered on page load, no form data ) should we let it pass?

public function wp_login_failed( $username ) {
    ...
    if ( empty( $username ) )
        return;
    ...
}

Thoughts?

Great plugin. I was trying to figure out the best way to integrate this into a wordpress site run in docker with fail2ban on the docker host, and while doing so have been looking at your code as well as the documentation. I came across this and I am not sure if I just don't understand php enough (totally possible) or it is a misspelling.

You reference $indent and I think it should be $ident as stated in the reference URL you provide https://secure.php.net/manual/en/function.openlog.php - note that if changed, the wiki documentation should be updated as well.

		/**
		 * Filters the $indent parameter, which will be the `[DAEMON]`
		 * portion of the example in the class PHPDoc, and will be passed to
		 * `openlog()`.
		 *
		 * @see https://secure.php.net/manual/function.openlog.php
		 *
		 * @since 0.1.0
		 *
		 * @param string $indent The syslog tag.
		 * @param string $action The logging action.
		 */
		$indent = apply_filters( 'wp_fail2ban_redux_openlog_indent', "wp({$_SERVER['HTTP_HOST']})", $action );

Nginx Reverse Proxy fail2ban shows the offender as coming from the reverse proxy, definitely don't want to ban your reverse proxy and cut off ALL traffic to your site.

I have all my headers in place on the reverse proxy:

# example HTTPS
server {
    listen 443 ssl http2;
    server_name www.example.com example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    root /var/www/example/;
    index index.html;
    location / {
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Host $host:$server_port;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_pass http://10.18.20.2:44777;
    }
}

The solution that the other fail2ban package uses is working for me. I did originally try yours first.

This one allows you to define the IP of your proxy, and if defined it will use the X-Forwarded-For header:
https://docs.wp-fail2ban.com/en/4.2/defines/constants/WP_FAIL2BAN_PROXIES.html#wp-fail2ban-proxies

I was able to see in your code, that you say I just need to configure wp-config.php, I am wondering which values you think would actually solve this issue and be able to use your plugin behind a reverse proxy.

In my wp-config.php I have added these lines:

$_SERVER['HTTPS'] = 'on';
$_SERVER['HTTP_HOST'] = 'www.example.com';
define('WP_HOME','https://www.example.com');
define('WP_SITEURL','https://www.example.com');
define('WP_FAIL2BAN_PROXIES','10.18.10.1');

section of your code:

/**
 * Returns the remote IP address of the current visitor.
 *
 * We use `REMOTE_ADDR` here directly. If you are behind a proxy, you
 * should ensure that it is properly set, such as in wp-config.php, for
 * your environment.
 *
 * @see https://core.trac.wordpress.org/ticket/9235
 *
 * @since 0.1.0
 *
 * @return string The remote IP address.
 */
private static function get_remote_ip() {
  if ( empty( self::$ip ) ) {
    self::$ip = preg_replace( '/[^0-9a-fA-F:., ]/', '', $_SERVER['REMOTE_ADDR'] );
  }
  return self::$ip;
}

I’m seeing that I get bans on failed attempts to login with a username that doesn’t exist on a site. However, when failed attempts are made with a real username of the site, I’m not seeing any bans happen, which leads to people/bots to try to login as many times as they want. I’m using the latest version with wordpress-hard.conf. Any ideas? Thanks!

Running Fail2Ban version 0.11.1 on Ubuntu 20.04