4.2. Logging¶
The key concept behind WPf2b is logging Events to syslog
. If WPf2b doesn’t log an Event, or logs it to the wrong place, fail2ban
won’t work as it should. If in doubt go with the defaults - they should work for most systems, and once you understand how the pieces fit together you can revisit this.
4.2.1. Choosing the Events to Log¶
If you’re unfamiliar with fail2ban
and syslog
I recommend not enabling any extra logging to start with - skip ahead to configuring fail2ban. WPf2b automatically handles the most important things with sensible defaults that should work for most systems.
4.2.2. Advanced Users¶
4.2.2.1. Events¶
Over the years WPf2b has accumulated a lot of logging ability (and there’re even more on the way):
Event | Reference |
---|---|
Auth OK | WP_FAIL2BAN_AUTH_LOG |
Auth Fail | |
Blocked User | WP_FAIL2BAN_BLOCKED_USERS |
Blocked User Enumeration | WP_FAIL2BAN_BLOCK_USER_ENUMERATION |
Blocked Username Login | WP_FAIL2BAN_BLOCK_USERNAME_LOGIN |
Comment | WP_FAIL2BAN_LOG_COMMENTS |
Comment: Spam | WP_FAIL2BAN_LOG_SPAM |
Attempted Comment: Post not found | WP_FAIL2BAN_LOG_COMMENTS_EXTRA |
Attempted Comment: Closed post | WP_FAIL2BAN_LOG_COMMENTS_EXTRA |
Attempted Comment: Trash post | WP_FAIL2BAN_LOG_COMMENTS_EXTRA |
Attempted Comment: Draft post | WP_FAIL2BAN_LOG_COMMENTS_EXTRA |
Attempted Comment: Password-protected post | WP_FAIL2BAN_LOG_COMMENTS_EXTRA |
Pingback | WP_FAIL2BAN_LOG_PINGBACKS |
Pingback error | WP_FAIL2BAN_PINGBACK_ERROR_LOG |
You should consider enabling Comment: Spam and Attempted Comment: Closed post, and, if you don’t use WordPress’s commenting system at all, you should enable all the Attempted Comment Events.
4.2.2.2. Facilities¶
By default, WPf2b uses the following syslog
Facilities and Levels:
What | Default | Level |
---|---|---|
Auth OK | LOG_AUTH | INFO |
Auth Fail | NOTICE | |
Blocked User | ||
Blocked User Enum | ||
Comment | LOG_USER | INFO |
Comment: Spam | LOG_AUTH | NOTICE |
Comment: Post not found | ||
Comment: Closed post | ||
Comment: Trash post | ||
Comment: Draft post | ||
Comment: Password-protected post | ||
Pingback | LOG_USER | INFO |
Pingback error | LOG_AUTH | NOTICE |
Unfortunately, there is no way of knowing a priori which Facility goes where. There is a table of default locations of Logfile Reference for various OSs; if you’re running something not listed there and you know where the various Facilities go, please either submit a PR on GitHub, or let me know in the forum.