thebrandonallen/wp-fail2ban-redux

Plugin does not integrate cleanly with systemd-enabled systems

Opened this issue · 1 comments

catofnineswords commented

Systemd (long may it and its developer burn in hell) has come along and replaced all the sane and logical system-logging solutions we all used to love and adore. With that now being a fait accompli, we are all suffering as we try and learn how to use the incomprehensible behemoth that is systemd.
It would be nice/convenient/useful to have two options available for the provided wordpress.jail configuration file, one for wise systems that still use syslog-ng/rsyslog/etc, and one for the now more brain-dead systems with systemd. (Yes, I loath systemd with a fiery burning passion)

So far I've been able to adjust the jail config file to recognise the systemd backend, but have not been able to write and test the journalmatch entry to catch the php-generated auth messages from this plugin.

This seems to be a mostly-functional method of re-discovering /var/log/auth.log :

journalctl -q SYSLOG_FACILITY=10 SYSLOG_FACILITY=4

and from my brief poking at it with grep, it looks like we only need facility=4.
I've managed to get this far:
/etc/fail2ban/jail.d/wordpress.conf
backend = systemd
journalmatch = _SYSLOG_FACILITY=4

The provided filters (soft and hard) do catch authentication failures - yay! but I've not yet found a way to wrap this information into something I can properly test with fail2ban-regex. I could just wait and see if these users turn up in the jails, but I'd like a more concrete way of validating the config. The doco for 'fail2ban-regex systemd-journal' is again, abyss-like in its absence.
I'm seeing singular authentication attempts from IP addresses, but not multiple attempts, so they've possibly not met the jailing requirements yet.

I'm hoping that you've been able to install and configure this module within a systemd-disabled system, and thus can share your working configuration files?

dsmath commented

@catofnineswords - Recent work on systemd / wp-f2b topic here: fail2ban/fail2ban#3756.

I am trying to decipher solution this author made.

Edit: Found post from author on f2b support page:
https://forums.invis.net/t/debian-12-journalctl-systemd-configuration/504