Hello and congratulations on this new forum.
I am not sure if bug reports belong in this category. Please move it around as needed.
I am encountering a bug relating to Block User Enumeration.
Using
WordPress 5.3.2 with Gutenberg
WP Fail2ban 4.2.7.1
Windows & Mac, Chrome & Firefox
Logs
When a non-admin creates a new post, which starts up Gutenberg, one of the requests triggers Blocked user enumeration attempt. I could reproduce this on different servers and in different browsers, so I am quite sure it has to do with the way _log_bail_user_enum() works. Here are the logs.
Nginx access.log
A single request shows a non-200 status code, namely 403 Forbidden.
IP.IP.IP.IP - - [09/Apr/2020:16:59:25 +0200] "GET /wp-json/wp/v2/users/?who=authors&per_page=100&lang=fr&_locale=user HTTP/2.0" 403 98 "https://example.com/wp/wp-admin/post-new.php?post_type=page" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:74.0) Gecko/20100101 Firefox/74.0" "-"
auth.log
Apr 9 16:59:08 example wordpress(example.com)[18498]: Accepted password for editor from IP.IP.IP.IP
Apr 9 16:59:25 example wordpress(example.com)[18498]: Blocked user enumeration attempt from IP.IP.IP.IP
fail2ban.log:
2020-04-09 16:59:26,177 fail2ban.filter [2217]: INFO [wordpress-hard] Found IP.IP.IP.IP - 2020-04-09 16:59:25
2020-04-09 16:59:26,282 fail2ban.actions [2217]: NOTICE [wordpress-hard] Ban IP.IP.IP.IP
Problem
As I understand it, the errors comes from /wp-json/wp/v2/users/?who=authors triggering WP Fail2ban even when it comes from a logged-in non-admin.
Indeed, it does not happen for admins. As such, as a temporary fix, I changed the user (which I trust entirely) from Editor role to Administrator role and they could publish again.
But, switching other people to Administrator is not an option.