UFW não bloqueia IPs

0

estou trabalhando com o fail2ban, o ufw e o wordpress (NGINX).

Eu fiz o plugin para criar 401 se alguém não conseguir fazer login

function wp_login_failed_403_res() {
  status_header(403);
}
add_action( 'wp_login_failed', 'wp_login_failed_403_res' );

Ofc fail2ban is installd O UFW está ativado.

Dentro de jail.local eu tenho isso

[wordpress]

enabled  = true
port     = http,https
filter   = wordpress-login
logpath  = /var/www/site.com/logs/site_nginx.access.log
banaction = ufw-nginx
bantime  = 60
maxretry = 3

Dentro de action.d / ufw-nginx eu tenho isso

[Definition]
actionstart =
actionstop =
actioncheck =
actionban = ufw insert 1 deny from <ip> to any app "Nginx Full"
actionunban = ufw delete deny from <ip> to any app "Nginx Full"

Dentro de filter.d / wordpress-login eu tenho isso:

[Definition]
failregex = <HOST>.*POST.*(wp-login\.php|xmlrpc\.php).* 401
ignoreregex =

Então eu estou tentando me bloquear :) Eu estou vendo os logs e eu posso ver que o nginx está registrando 401 em cada login com falha.

o log do fail2ban diz isso:

2017-11-21 20:23:55,906 fail2ban.filter         [10049]: INFO    [wordpress] Found ip.adress.here.xx
2017-11-21 20:24:50,330 fail2ban.actions        [10049]: NOTICE  [wordpress] Unban ip.adress.here.xx
2017-11-21 20:34:10,758 fail2ban.filter         [10049]: INFO    [wordpress] Found ip.adress.here.xx
2017-11-21 20:34:13,642 fail2ban.filter         [10049]: INFO    [wordpress] Found ip.adress.here.xx
2017-11-21 20:34:16,704 fail2ban.filter         [10049]: INFO    [wordpress] Found ip.adress.here.xx
2017-11-21 20:34:17,184 fail2ban.actions        [10049]: NOTICE  [wordpress] Ban ip.adress.here.xx
2017-11-21 20:34:19,240 fail2ban.filter         [10049]: INFO    [wordpress] Found ip.adress.here.xx
2017-11-21 20:34:21,789 fail2ban.filter         [10049]: INFO    [wordpress] Found ip.adress.here.xx
2017-11-21 20:34:25,776 fail2ban.filter         [10049]: INFO    [wordpress] Found ip.adress.here.xx
2017-11-21 20:34:26,508 fail2ban.actions        [10049]: NOTICE  [wordpress] ip.adress.here.xx already banned

UFW diz isso:

# ufw status                                                                              
Status: active

To                         Action      From
--                         ------      ----
Nginx Full                 DENY        ip.adress.here.xx
OpenSSH                    DENY        other.ip.adress.xxx

Ainda posso acessar e fazer login após o ban (antes do fail2ban unban me)

Existe algo faltando ou o quê?

    
por NoobyAFK 21.11.2017 / 22:52

0 respostas