Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Plugin does not integrate cleanly with systemd-enabled systems #35

Open
catofnineswords opened this issue Apr 24, 2024 · 1 comment
Open

Plugin does not integrate cleanly with systemd-enabled systems #35

catofnineswords opened this issue Apr 24, 2024 · 1 comment

Comments

@catofnineswords
Copy link

Systemd (long may it and its developer burn in hell) has come along and replaced all the sane and logical system-logging solutions we all used to love and adore. With that now being a fait accompli, we are all suffering as we try and learn how to use the incomprehensible behemoth that is systemd.
It would be nice/convenient/useful to have two options available for the provided wordpress.jail configuration file, one for wise systems that still use syslog-ng/rsyslog/etc, and one for the now more brain-dead systems with systemd. (Yes, I loath systemd with a fiery burning passion)

So far I've been able to adjust the jail config file to recognise the systemd backend, but have not been able to write and test the journalmatch entry to catch the php-generated auth messages from this plugin.

This seems to be a mostly-functional method of re-discovering /var/log/auth.log :

journalctl -q SYSLOG_FACILITY=10 SYSLOG_FACILITY=4

and from my brief poking at it with grep, it looks like we only need facility=4.
I've managed to get this far:
/etc/fail2ban/jail.d/wordpress.conf
backend = systemd
journalmatch = _SYSLOG_FACILITY=4

The provided filters (soft and hard) do catch authentication failures - yay! but I've not yet found a way to wrap this information into something I can properly test with fail2ban-regex. I could just wait and see if these users turn up in the jails, but I'd like a more concrete way of validating the config. The doco for 'fail2ban-regex systemd-journal' is again, abyss-like in its absence.
I'm seeing singular authentication attempts from IP addresses, but not multiple attempts, so they've possibly not met the jailing requirements yet.

I'm hoping that you've been able to install and configure this module within a systemd-disabled system, and thus can share your working configuration files?
@dsmath
Copy link

dsmath commented Jul 6, 2024
edited
Loading

@catofnineswords - Recent work on systemd / wp-f2b topic here: fail2ban/fail2ban#3756.

I am trying to decipher solution this author made.

Edit: Found post from author on f2b support page:
https://forums.invis.net/t/debian-12-journalctl-systemd-configuration/504

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dsmath @catofnineswords