Estou tentando capturar força bruta contra /xmlrpc.php com o fail2ban

Navegue suas respostas
2

Estou com uma tonelada de falhas de acesso falho: 

185.103.252.174 - - [28/Apr/2016:15:09:16 -0400] "POST /xmlrpc.php HTTP/1.1" 499 0 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
173.246.56.51 - - [28/Apr/2016:15:09:17 -0400] "POST /xmlrpc.php HTTP/1.1" 499 0 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
185.103.252.173 - - [28/Apr/2016:15:09:17 -0400] "POST /xmlrpc.php HTTP/1.1" 499 0 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
23.226.36.2 - - [28/Apr/2016:15:09:17 -0400] "POST /xmlrpc.php HTTP/1.1" 499 0 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
23.226.36.2 - - [28/Apr/2016:15:09:17 -0400] "POST /xmlrpc.php HTTP/1.1" 499 0 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
185.103.252.173 - - [28/Apr/2016:15:09:17 -0400] "POST /xmlrpc.php HTTP/1.1" 499 0 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
148.251.184.222 - - [28/Apr/2016:15:09:17 -0400] "POST /xmlrpc.php HTTP/1.1" 499 0 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
148.251.184.222 - - [28/Apr/2016:15:09:17 -0400] "POST /xmlrpc.php HTTP/1.1" 499 0 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"
148.251.184.222 - - [28/Apr/2016:15:09:18 -0400] "POST /xmlrpc.php HTTP/1.1" 499 0 "-" "Googlebot/2.1 (+http://www.google.com/bot.html)"

Meu /etc/fail2ban/filter.d/wordpress-auth.conf : 

[Definition]
failregex = <HOST>.*POST.*xmlrpc\.php.* 499

No meu /etc/fail2ban/jail.conf : 

[wordpress]
enabled  = true
port     = http,https
filter   = wordpress-auth
logpath  = /var/log/nginx/access.log
maxretry = 3
bantime  = 86400

Reiniciei o fail2ban, mas não vi nenhum [wordpress] no meu /var/log/fail2ban.log . O que estou fazendo errado?

    
por Kit Sunde 28.04.2016 / 21:13

1 resposta

1

Certo, parece que está funcionando, demorou para reagir aos logs.

    
por 28.04.2016 / 21:19

Tags

Como atualizar o Docker (para 1.10.0) no CentOS7? Nginx reescreve: remove? após filename.php