Extension talk:Fail2banlog

=Typo in filter.= The mediawiki filter in .etc.fail2ban/filter.d, regex has a typo in it

Authuntification error .* should read Authentication error

so fail2ban can get the correct regex and ban the IP


 * Thanks, the translation from french was quick --LaurentChouraki 07:25, 24 May 2008 (UTC)

=Whitelisting IPs= How could I roll back a banned ip? Is there a whitelist of ip addreses I can create while configuring this plugin on my wiki?

-Thanks 68.175.25.58 18:02, 6 June 2008 (UTC)
 * You can configure it in Fail2Ban (whitelist). Fail2ban add rules to your firewall, you can remove the rules using your firewall administration software. (depend of your firewall)
 * --LaurentChouraki 20:11, 6 June 2008 (UTC)

=Log bad user name too?= The extension works well to log the case when a valid username with an invalid password is entered. Could it be expanded to also log the case where an invalid username is entered? That would allow fail2ban to prevent a brute-force attack to determine valid usernames.


 * Not as easy as it look. The hook is only invoked for known users. If you need more security, you may use one of the many external authentication methods supported my mediawiki.
 * --LaurentChouraki 21:47, 12 February 2009 (UTC)

file name
my fail2ban only accepts this solution if the file is called mediawiki.conf and not just "mediawiki" as proposed in the text. Anybody else observe that? Greetings --Hannes Röst 15:24, 22 July 2010 (UTC)

I checked my config... it has the .conf, I will correct the extension page. Laurent.

What is blocked?
The opening paragraph says:

"... so you can block bruteforce attacks at the firewall level."

The intro is a little lite on details. What exactly is blocked and when?

Will the extension help with:

... 185.145.38.219 - - [19/Apr/2020:10:38:05 -0400] "GET /w/index.php?title=Special:CreateAccount&returnto=Weight+Loss+And+Exercise+-+Can+You+Lose+Muscles+Tissue HTTP/1.1" 200 3268 185.145.38.219 - - [19/Apr/2020:10:38:07 -0400] "GET /w/index.php?title=Special:UserLogin&returnto=Weight+Loss+And+Exercise+-+Can+You+Lose+Muscles+Tissue HTTP/1.1" 200 3879 185.145.38.219 - - [19/Apr/2020:10:38:08 -0400] "GET /w/index.php?title=Special:UserLogin&returnto=Weight+Loss+And+Exercise+-+Can+You+Lose+Muscles+Tissue&type=signup HTTP/1.1" 302 20 185.145.38.219 - - [19/Apr/2020:10:38:09 -0400] "GET /w/index.php?title=Special:CreateAccount&returnto=Weight+Loss+And+Exercise+-+Can+You+Lose+Muscles+Tissue HTTP/1.1" 200 3268 ...
 * 1) cat /var/log/httpd24/access_log | grep -E 'Penis|Health|Diet|Fat|Muscle'

We are literally experiencing thousands of these kind of attacks, and it is driving our cpu usage over 80%. Apparently it is costly to service this spam (as opposed to serving a real wiki article). Here is several hours of a log file:

1940
 * 1) cat /var/log/httpd24/access_log | grep -E 'Penis|Health|Diet|Fat|Muscle' | wc -l