Events being logged; failures not being banned

Hello

I installed wp-fail2ban per the tutoral and kept the filter.d and jail configurations the same as in the documentation.

I have confirmed that it is logging authentication attempts. Set up a tail on my log file: sudo tail -f var/log/auth.log

Logged in from my phone. The auth.log indeed showed this line:

Sep  2 19:07:16 xxxx-ThinkPad-11e wordpress(mywebsite.ca)[1004]: Accepted password for xxxx from xx.xxx.xx.xxx

(x’s added for privacy)

I also verfified the jails were running:

xxxx@xxxx-ThinkPad-11e:~$ sudo fail2ban-client status
Status
|- Number of jail:	4
`- Jail list:	sshd, vsftpd, wordpress-hard, wordpress-soft

I then tried to simulate an attack by doing a series of failed authentications thru my cellphone. I verified that the attack was logged through tailing auth.log, but fail2ban didn’t ban me. I don’t know why.

My distro does run systemd. I tried adding backend = systemd[journalflags=1] to the jails in jail.conf. No dice.

I’m running Linux Mint 21. I am a hobbyist, no formal training in computer science or IT. My site has been attracting suspicious traffic from IPs located in countries that don’t speak my language and I would really like to figure this out. Thank you!

Hey everyone. I was experimenting with this some more and I think I found a solution to the problem. I added the following directive to my wp-hard and wp-soft jails:

backend = polling

I tested this and it works. I tried 3 incorrect logins with my cell phone and on the 4th attempt it didn’t go thru. When checking banned IPs through the terminal using “sudo fail2ban-client banned” I indeed found my phone’s IP was added to the list.

If anyone thinks this is not the right solution (or if it could be done in a better way) please let me know. However it seems to be working now.

Did you try just backend = systemd ?

The journalflags bit shouldn’t be needed if you’re running things “out of the box”.