4.2. Logging

The key concept behind WPf2b is logging Events to syslog. If WPf2b doesn’t log an Event, or logs it to the wrong place, fail2ban won’t work as it should. If in doubt go with the defaults - they should work for most systems, and once you understand how the pieces fit together you can revisit this.

4.2.1. Choosing the Events to Log

If you’re unfamiliar with fail2ban and syslog I recommend not enabling any extra logging to start with - skip ahead to configuring fail2ban. WPf2b automatically handles the most important things with sensible defaults that should work for most systems.

4.2.2. Advanced Users

4.2.2.1. Events

Over the years WPf2b has accumulated a lot of logging ability (and there’re even more on the way):

Event Reference
Auth OK WP_FAIL2BAN_AUTH_LOG
Auth Fail
Blocked User WP_FAIL2BAN_BLOCKED_USERS
Blocked User Enumeration WP_FAIL2BAN_BLOCK_USER_ENUMERATION
Blocked Username Login WP_FAIL2BAN_BLOCK_USERNAME_LOGIN
Comment WP_FAIL2BAN_LOG_COMMENTS
Comment: Spam WP_FAIL2BAN_LOG_SPAM
Attempted Comment: Post not found WP_FAIL2BAN_LOG_COMMENTS_EXTRA
Attempted Comment: Closed post WP_FAIL2BAN_LOG_COMMENTS_EXTRA
Attempted Comment: Trash post WP_FAIL2BAN_LOG_COMMENTS_EXTRA
Attempted Comment: Draft post WP_FAIL2BAN_LOG_COMMENTS_EXTRA
Attempted Comment: Password-protected post WP_FAIL2BAN_LOG_COMMENTS_EXTRA
Pingback WP_FAIL2BAN_LOG_PINGBACKS
Pingback error WP_FAIL2BAN_PINGBACK_ERROR_LOG

You should consider enabling Comment: Spam and Attempted Comment: Closed post, and, if you don’t use WordPress’s commenting system at all, you should enable all the Attempted Comment Events.

4.2.2.2. Facilities

By default, WPf2b uses the following syslog Facilities and Levels:

What Default Level
Auth OK LOG_AUTH INFO
Auth Fail NOTICE
Blocked User
Blocked User Enum
Comment LOG_USER INFO
Comment: Spam LOG_AUTH NOTICE
Comment: Post not found
Comment: Closed post
Comment: Trash post
Comment: Draft post
Comment: Password-protected post
Pingback LOG_USER INFO
Pingback error LOG_AUTH NOTICE

Unfortunately, there is no way of knowing a priori which Facility goes where. There is a table of default locations of Logfiles for various OSs; if you’re running something not listed there and you know where the various Facilities go, please either submit a PR on GitHub, or let me know in the forum.