Multisite bans prematurely

ethanclevenger91 · 23 June 2020 16:34

Following up on this: https://wordpress.org/support/topic/banning-prematurely-when-accessing-multisite/

Here are the logs where I got banned:

2020-06-01 13:56:21,401 fail2ban.filter         [965]: INFO    [sshd] Found 176.98.91.211 - 2020-06-01 13:56:21
2020-06-01 14:31:21,861 fail2ban.filter         [965]: INFO    [sshd] Found 60.216.46.77 - 2020-06-01 14:31:21
2020-06-01 16:00:29,182 fail2ban.filter         [965]: INFO    [sshd] Found 70.184.171.228 - 2020-06-01 16:00:29
2020-06-01 16:00:29,287 fail2ban.filter         [965]: INFO    [sshd] Found 70.184.171.228 - 2020-06-01 16:00:29
2020-06-01 18:04:44,806 fail2ban.filter         [965]: INFO    [sshd] Found 178.128.84.157 - 2020-06-01 18:04:44
2020-06-01 18:25:55,393 fail2ban.filter         [965]: INFO    [sshd] Found 118.173.12.35 - 2020-06-01 18:25:54
2020-06-01 18:25:58,576 fail2ban.filter         [965]: INFO    [sshd] Found 113.161.39.20 - 2020-06-01 18:25:58
2020-06-01 18:33:53,372 fail2ban.filter         [965]: INFO    [sshd] Found 85.214.164.251 - 2020-06-01 18:33:53
2020-06-01 19:11:31,138 fail2ban.filter         [965]: INFO    [sshd] Found 141.98.81.84 - 2020-06-01 19:11:30
2020-06-01 19:11:33,933 fail2ban.filter         [965]: INFO    [sshd] Found 141.98.81.99 - 2020-06-01 19:11:33
2020-06-01 19:11:38,550 fail2ban.filter         [965]: INFO    [sshd] Found 141.98.81.108 - 2020-06-01 19:11:38
2020-06-01 19:11:43,017 fail2ban.filter         [965]: INFO    [sshd] Found 141.98.81.81 - 2020-06-01 19:11:43
2020-06-01 19:11:46,821 fail2ban.filter         [965]: INFO    [sshd] Found 141.98.81.83 - 2020-06-01 19:11:46
2020-06-01 19:11:48,743 fail2ban.filter         [965]: INFO    [sshd] Found 141.98.81.84 - 2020-06-01 19:11:48
2020-06-01 19:11:53,196 fail2ban.filter         [965]: INFO    [sshd] Found 141.98.81.107 - 2020-06-01 19:11:52
2020-06-01 19:11:54,879 fail2ban.filter         [965]: INFO    [sshd] Found 141.98.81.108 - 2020-06-01 19:11:54
2020-06-01 19:11:57,882 fail2ban.filter         [965]: INFO    [sshd] Found 141.98.81.81 - 2020-06-01 19:11:57
2020-06-01 19:36:51,949 fail2ban.filter         [965]: INFO    [sshd] Found 141.98.9.157 - 2020-06-01 19:36:51
2020-06-01 19:36:55,344 fail2ban.filter         [965]: INFO    [sshd] Found 141.98.9.159 - 2020-06-01 19:36:55
2020-06-01 19:37:00,928 fail2ban.filter         [965]: INFO    [sshd] Found 141.98.9.160 - 2020-06-01 19:37:00
2020-06-01 19:37:02,939 fail2ban.filter         [965]: INFO    [sshd] Found 141.98.9.161 - 2020-06-01 19:37:02
2020-06-01 19:37:08,096 fail2ban.filter         [965]: INFO    [sshd] Found 141.98.9.137 - 2020-06-01 19:37:08
2020-06-01 19:37:10,234 fail2ban.filter         [965]: INFO    [sshd] Found 141.98.9.157 - 2020-06-01 19:37:10
2020-06-01 19:37:16,996 fail2ban.filter         [965]: INFO    [sshd] Found 141.98.9.160 - 2020-06-01 19:37:16
2020-06-01 19:37:20,521 fail2ban.filter         [965]: INFO    [sshd] Found 141.98.9.161 - 2020-06-01 19:37:20
2020-06-01 19:37:24,323 fail2ban.filter         [965]: INFO    [sshd] Found 141.98.9.156 - 2020-06-01 19:37:24
2020-06-01 19:37:28,068 fail2ban.filter         [965]: INFO    [sshd] Found 141.98.9.137 - 2020-06-01 19:37:28
2020-06-01 20:26:39,478 fail2ban.filter         [965]: INFO    [wordpress-hard] Found 73.96.174.243 - 2020-06-01 20:26:39
2020-06-01 20:26:39,536 fail2ban.actions        [965]: NOTICE

Before doing that, I deployed monthly updates, which happens via Laravel Forge. It does this via the following:

cd /home/forge/www.example.com
git pull origin master
composer install --no-interaction --prefer-dist --optimize-autoloader --no-dev
echo "" | sudo -S service php7.3-fpm reload

And that all happens from a Forge IP, so shouldn’t bother me any. Then I simply went to example.com/wp-admin to try and log in. The login form appeared, but all stylesheets and JS were broken (I assume due to the ban – I never even put in a username/password). Upon refresh, I was blocked entirely.

Should I verify that the fail2ban confs are up-to-date? I don’t know how often you change those.

Also, once I’m unbanned, I can log in without issue.

wp-fail2ban · 27 June 2020 05:19

OK, so it looks like something is triggering one of the hard rules.

The first step is to look in the other logs to see which event is triggering the block - without that it’s impossible even to guess what’s going on.

brianshim · 29 July 2020 17:42

Just FYI, I am having a similar problem.

After installing V4.2.8 on a Multisite, I would be able to log in, but a few days later I’d be locked out. I had the same fail2ban rules as a bunch of regular WP sites on the same server, and they never had this problem. I uninstalled it on my multisite.

I tried installing 4.3.0.4 on that same Multisite since the release notes mentioned Multisite support. This time, I was immediately locked out of the login page after installation. I uninstalled it.

Note, I’m running on Gridpane.

wp-fail2ban · 30 July 2020 01:41

Thanks for letting me know.

Unfortunately, until someone with this problem shows me the log entries that caused the issue I can only guess - I cannot reproduce it locally.

The new “last 5 messages” widget in 4.3 should make this easy - any chance you could reproduce the problem and share the messages?

wp-fail2ban · 9 September 2020 15:23

I believe this was fixed in 4.3.0.5 - feel free to post here if you’re still having issues.

brianshim · 10 September 2020 19:31

I have not had the problem with V4.3.0.5 so far! Very encouraging. I’ll let you know if this changes.

brianshim · 22 September 2020 17:54

Haven’t had the problem in almost two weeks. I’d say this is fixed!

Many thanks for your work!