Topic on Extension talk:Fail2Log

Fail2ban based on probes?

2
Noloader (talkcontribs)

The project's description says:

The Fail2Log extension creates a log file containing IP addresses of IP's that tried to login with an incorrect username and/or password.

Fake logins with usernames and passwords are not the problem we experience.

We experience the problem shown below. They are probes from hosts looking for vulnerable components.

# cat /var/log/apache2/access.log | grep wp-login.php
117.186.248.5 - - [30/Mar/2021:04:38:32 +0000] "GET /wp-login.php HTTP/1.1" 404 437 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:78.0) Gecko/20100101 Firefox/78.0"
46.11.72.15 - - [30/Mar/2021:06:51:02 +0000] "GET /wp-login.php HTTP/1.1" 404 491 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko"
47.114.185.232 - - [30/Mar/2021:12:31:12 +0000] "GET /wp-login.php HTTP/1.1" 404 437 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:78.0) Gecko/20100101 Firefox/78.0"
35.213.170.208 - - [30/Mar/2021:14:56:35 +0000] "GET /wp-login.php HTTP/1.1" 404 458 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
145.239.29.217 - - [30/Mar/2021:16:06:10 +0000] "GET /wp-login.php HTTP/1.1" 404 458 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
162.253.71.214 - - [30/Mar/2021:21:43:20 +0000] "GET /wp-login.php HTTP/1.1" 404 279
188.70.42.214 - - [30/Mar/2021:21:59:11 +0000] "GET /wp-login.php HTTP/1.1" 404 275

We would like to ban hosts that are trying to break in through known vulnerabilities, like those in Wordpress. We would also like to ban the entire netblock. We find there will be a dozen or so hosts from a netblock acting together (a distributed attack). We also find most of the attacks stem from China and former Soviet Union.

Is it possible to ban hosts based on break in attempts like using wp-login.php? If so, how do we do it?

Thanks in advance.

Noloader (talk) 22:27, 30 March 2021 (UTC)

Ciencia Al Poder (talkcontribs)

Fail2ban can ban everything if you can provide a log file for it to detect possible intrussions.

Since you have a webserver log for those, create a rule in fail2ban to look on the server's access log and match only such requests... that may not be easy, since you'll have to put every possible URL... or by status code (for example, for 404 status code), but beware that you may end blocking legitimate bots like googlebot.

An extension can't control that because most bots are trying to scan paths that are outside of the MediaWiki installation, or that don't target index.php, like the example you posted above.

Reply to "Fail2ban based on probes?"