I’ve been trying out the free version of wpfail2ban and have it working. Now I’m trying to add the blocklist add-on. I’ve got the filters and jail created but it’s been over 24 hours and I haven’t seen any list of IPs come down yet. I know the free version says updates are “infrequent” but does that include new installs? How long should it take for the first polling push to occur?
I’ve configured rsyslogd to send local6.* output to /var/log/wpf2b-block.log, and set the corresponding variable in wp-config.php:
define('WP_FAIL2BAN_PLUGIN_LOG_BLOCK', true);
define('WP_FAIL2BAN_ADDON_BLOCKLIST_CUSTOM_JAIL', true);
define('WP_FAIL2BAN_ADDON_BLOCKLIST_LOG', LOG_LOCAL6);
But the log file is still empty so nothing is being added to fail2ban. Everything looks “OK” in the site health and in the plug-in settings, so I’m not sure why I’m not getting the BNS list.
It looks like there’s an authentication problem; can you have a look in your default log (probably /var/log/messages) for any Blocklist errors? A quick grep for blocklist should be all you need.
I don’t have a /var/log/messages in Ubuntu, but I did start searching my logs and DID see connections coming in from BNS:
apache2/access.log:144.126.198.72 - - [23/Feb/2023:20:42:24 -0500] "GET /blog/wp-json/wp-fail2ban/v1/blocklist?last_id=0&nonce=1677202944 HTTP/1.1" 401 5836 "-" "BlockList/0.9.0 (+https://wp-fail2ban.blocklist.network)"
If I try to hit that URL myself, though, I get this:
{"code":"rest_forbidden","message":"Sorry, you are not allowed to do that.","data":{"status":401}}
I didn’t think I had any security plug-ins that would be causing a problem, but I guess I need to figure out what’s blocking that call.
You won’t be able to query that REST endpoint directly so that’s an expected error.
There are a lot of different things that can stop the BNS talking to a site - that’s why it’s still very much a “soft launch” while I work through the things I don’t know about yet.
journalctl -g "blocklist" might give some hints about what’s going on (assuming Ubuntu 20.04 or later).
Ah, didn’t realize this was a newer feature, no worries.
journalctl didn’t really show anything. I can see my editing the filters and jails files and then my failed attempts to access the REST endpoint, like this:
Feb 24 08:12:47 myserver wordpress(www.mysite.net)[730651]: (WPf2b++/blocklist) [A] No Authentication header from xx.xxx.xxx.xx
I’ve added some debug code to v2.2.0; if you add the following to wp-config.php:
define('WP_FAIL2BAN_ADDON_BLOCKLIST_DEBUG', true);
define('WP_FAIL2BAN_ADDON_BLOCKLIST_DEBUG_TRY_ALL_KEYS', true);
hopefully it will then both work and provide some useful info when you run journalctl.
1 Like
Thanks … I’ve upgraded and added those two lines. Will see what happens!
I’ve just released v2.2.1-rc1 as a beta; could you try that please?
Then, after it’s being running a few hours, DM me the output of:
journalctl -g "blocklist" -S today
Don’t paste it here! There will be things in it that shouldn’t be public.
Thanks!
Where can I get the beta?
BTW, here’s what I found in my journalctl overnight after upgrading to 2.2.0:
2023-02-25 16:24:24 Z Debug (WPf2b++/blocklist) No matching secret key from 144.126.198.72
Freemius usually marks the plugin as needing an update but not always…
wpf2b-addon-blocklist-free.2.2.1-rc.1.zip (57.3 KB)
Thanks. I’ve upgraded to 2.2.1-rc1. Will let it go for a bit and see what happens.
I can’t seem to figure out how to send a DM on these forums, but what I see in journalctl specifically for WPf2b doesn’t seem too sensitive, so here’s what I’ve got with the latest RC (just replaced my server name and URL).
Feb 25 17:45:28 myserver wordpress(www.myserver.net)[830957]: (WPf2b++/blocklist) Raw URL is "/blog/wp-json/wp-fail2ban/v1/blocklist" from 144.126.198.72
Feb 25 17:45:28 myserver wordpress(www.myserver.net)[830957]: (WPf2b++/blocklist) URL is "/blog/wp-json/wp-fail2ban/v1/blocklist" from 144.126.198.72
Feb 25 17:45:28 myserver wordpress(www.myserver.net)[830957]: (WPf2b++/blocklist) hmac data "GET:/blog/wp-json/wp-fail2ban/v1/blocklist:1677365128:" from 144.126.198.72
Feb 25 17:45:28 myserver wordpress(www.myserver.net)[830957]: (WPf2b++/blocklist) Not using secret key "wp-fail2ban" from 144.126.198.72
Feb 25 17:45:28 myserver wordpress(www.myserver.net)[830957]: (WPf2b++/blocklist) hmac data "GET:/blog/wp-json/wp-fail2ban/v1/blocklist:1677365128:" from 144.126.198.72
Feb 25 17:45:28 myserver wordpress(www.myserver.net)[830957]: (WPf2b++/blocklist) Not using secret key "wpf2b-addon-blocklist" from 144.126.198.72
Feb 25 17:45:28 myserver wordpress(www.myserver.net)[830957]: (WPf2b++/blocklist) No matching secret key from 144.126.198.72
OK, it all seems to be working as it should now.
Thanks for the debug info - the problem turned out to be a simple oversight in the BNS - simple to fix, but very, very difficult to find!
I’ll tidy up the code a bit and do another release in a few weeks - you can rollback to 2.2.0 or stick with this version, it really doesn’t make any difference.
Don’t forget to remove the 2 debugging defines from your wp-config.php - you don’t need your logs filling up.
Awesome, thanks! Glad I was able to assist.
So how can I tell if this is working? In my WP dashboard, I still see no IPs, which I assume should contain the blocklist? This is on 2.2.1. Thanks.
