invis.net

Multisite bans prematurely

Following up on this: https://wordpress.org/support/topic/banning-prematurely-when-accessing-multisite/

Here are the logs where I got banned:

2020-06-01 13:56:21,401 fail2ban.filter         [965]: INFO    [sshd] Found 176.98.91.211 - 2020-06-01 13:56:21
2020-06-01 14:31:21,861 fail2ban.filter         [965]: INFO    [sshd] Found 60.216.46.77 - 2020-06-01 14:31:21
2020-06-01 16:00:29,182 fail2ban.filter         [965]: INFO    [sshd] Found 70.184.171.228 - 2020-06-01 16:00:29
2020-06-01 16:00:29,287 fail2ban.filter         [965]: INFO    [sshd] Found 70.184.171.228 - 2020-06-01 16:00:29
2020-06-01 18:04:44,806 fail2ban.filter         [965]: INFO    [sshd] Found 178.128.84.157 - 2020-06-01 18:04:44
2020-06-01 18:25:55,393 fail2ban.filter         [965]: INFO    [sshd] Found 118.173.12.35 - 2020-06-01 18:25:54
2020-06-01 18:25:58,576 fail2ban.filter         [965]: INFO    [sshd] Found 113.161.39.20 - 2020-06-01 18:25:58
2020-06-01 18:33:53,372 fail2ban.filter         [965]: INFO    [sshd] Found 85.214.164.251 - 2020-06-01 18:33:53
2020-06-01 19:11:31,138 fail2ban.filter         [965]: INFO    [sshd] Found 141.98.81.84 - 2020-06-01 19:11:30
2020-06-01 19:11:33,933 fail2ban.filter         [965]: INFO    [sshd] Found 141.98.81.99 - 2020-06-01 19:11:33
2020-06-01 19:11:38,550 fail2ban.filter         [965]: INFO    [sshd] Found 141.98.81.108 - 2020-06-01 19:11:38
2020-06-01 19:11:43,017 fail2ban.filter         [965]: INFO    [sshd] Found 141.98.81.81 - 2020-06-01 19:11:43
2020-06-01 19:11:46,821 fail2ban.filter         [965]: INFO    [sshd] Found 141.98.81.83 - 2020-06-01 19:11:46
2020-06-01 19:11:48,743 fail2ban.filter         [965]: INFO    [sshd] Found 141.98.81.84 - 2020-06-01 19:11:48
2020-06-01 19:11:53,196 fail2ban.filter         [965]: INFO    [sshd] Found 141.98.81.107 - 2020-06-01 19:11:52
2020-06-01 19:11:54,879 fail2ban.filter         [965]: INFO    [sshd] Found 141.98.81.108 - 2020-06-01 19:11:54
2020-06-01 19:11:57,882 fail2ban.filter         [965]: INFO    [sshd] Found 141.98.81.81 - 2020-06-01 19:11:57
2020-06-01 19:36:51,949 fail2ban.filter         [965]: INFO    [sshd] Found 141.98.9.157 - 2020-06-01 19:36:51
2020-06-01 19:36:55,344 fail2ban.filter         [965]: INFO    [sshd] Found 141.98.9.159 - 2020-06-01 19:36:55
2020-06-01 19:37:00,928 fail2ban.filter         [965]: INFO    [sshd] Found 141.98.9.160 - 2020-06-01 19:37:00
2020-06-01 19:37:02,939 fail2ban.filter         [965]: INFO    [sshd] Found 141.98.9.161 - 2020-06-01 19:37:02
2020-06-01 19:37:08,096 fail2ban.filter         [965]: INFO    [sshd] Found 141.98.9.137 - 2020-06-01 19:37:08
2020-06-01 19:37:10,234 fail2ban.filter         [965]: INFO    [sshd] Found 141.98.9.157 - 2020-06-01 19:37:10
2020-06-01 19:37:16,996 fail2ban.filter         [965]: INFO    [sshd] Found 141.98.9.160 - 2020-06-01 19:37:16
2020-06-01 19:37:20,521 fail2ban.filter         [965]: INFO    [sshd] Found 141.98.9.161 - 2020-06-01 19:37:20
2020-06-01 19:37:24,323 fail2ban.filter         [965]: INFO    [sshd] Found 141.98.9.156 - 2020-06-01 19:37:24
2020-06-01 19:37:28,068 fail2ban.filter         [965]: INFO    [sshd] Found 141.98.9.137 - 2020-06-01 19:37:28
2020-06-01 20:26:39,478 fail2ban.filter         [965]: INFO    [wordpress-hard] Found 73.96.174.243 - 2020-06-01 20:26:39
2020-06-01 20:26:39,536 fail2ban.actions        [965]: NOTICE 

Before doing that, I deployed monthly updates, which happens via Laravel Forge. It does this via the following:

cd /home/forge/www.example.com
git pull origin master
composer install --no-interaction --prefer-dist --optimize-autoloader --no-dev
echo "" | sudo -S service php7.3-fpm reload

And that all happens from a Forge IP, so shouldn’t bother me any. Then I simply went to example.com/wp-admin to try and log in. The login form appeared, but all stylesheets and JS were broken (I assume due to the ban – I never even put in a username/password). Upon refresh, I was blocked entirely.

Should I verify that the fail2ban confs are up-to-date? I don’t know how often you change those.

Also, once I’m unbanned, I can log in without issue.

OK, so it looks like something is triggering one of the hard rules.

The first step is to look in the other logs to see which event is triggering the block - without that it’s impossible even to guess what’s going on.

Just FYI, I am having a similar problem.

After installing V4.2.8 on a Multisite, I would be able to log in, but a few days later I’d be locked out. I had the same fail2ban rules as a bunch of regular WP sites on the same server, and they never had this problem. I uninstalled it on my multisite.

I tried installing 4.3.0.4 on that same Multisite since the release notes mentioned Multisite support. This time, I was immediately locked out of the login page after installation. I uninstalled it.

Note, I’m running on Gridpane.

Thanks for letting me know.

Unfortunately, until someone with this problem shows me the log entries that caused the issue I can only guess - I cannot reproduce it locally.

The new “last 5 messages” widget in 4.3 should make this easy - any chance you could reproduce the problem and share the messages?

I believe this was fixed in 4.3.0.5 - feel free to post here if you’re still having issues.

I have not had the problem with V4.3.0.5 so far! Very encouraging. I’ll let you know if this changes.

Haven’t had the problem in almost two weeks. I’d say this is fixed!

Many thanks for your work!