=== Plugin Name === Contributors: mrrotella Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=8N6D7LHAUYNQA Tags: authentication logger, fail2ban, brute force, xmlrpc hack, security, syslog, login, pingback Requires at least: 3.5.1 Tested up to: 4.4 Stable tag: 1.0.1 License: GPLv2 or later License URI: http://www.gnu.org/licenses/gpl-2.0.html This plugin writes the log of failed access attempts and invalids pingbacks requests. == Description == This plugin writes the log of failed access attempts (brute force attack) and invalids pingbacks requests ( by xmlrpc.php ). Very useful to process data via fail2ban. = You can write error by = 1. SYSLOG 2. APACHE ERROR_LOG 3. CUSTOM a custom error log file (the used path need to be writable or APACHE ERROR LOG wil be used) = Log examples = * SYSLOG Dec 17 14:21:02 webserver wordpress(`SERVER_HTTP_HOST`)[2588]: Authentication failure on [`WORDPRESS_SITE_NAME`] for `USED_LOGIN` from `111.222.333.444` Dec 17 14:21:02 webserver wordpress(`SERVER_HTTP_HOST`)[2588]: Pingback error `IXR_ERROR_CODE` generated on [`WORDPRESS_SITE_NAME`] from `111.222.333.444` * APACHE [Thu Dec 17 14:23:33.662339 2015] [:error] [pid 2580:tid 140001350244096] [client 111.222.333.444:52599] wordpress(`SERVER_HTTP_HOST`) Authentication failure on [`WORDPRESS_SITE_NAME`] for `USED_LOGIN` from `111.222.333.444`, referer: SITE_ADDRESS/wp-login.php [Thu Dec 17 14:23:33.662339 2015] [:error] [pid 2580:tid 140001350244096] [client 111.222.333.444:52599] wordpress(`SERVER_HTTP_HOST`) Pingback error `IXR_ERROR_CODE` generated on [`WORDPRESS_SITE_NAME`] from `111.222.333.444`, referer: SITE_ADDRESS/xmlrpc.php * CUSTOM [Thu Dec 17 14:25:34.000000 2015] wordpress(`SERVER_HTTP_HOST`) Authentication failure on [`WORDPRESS_SITE_NAME`] for `USED_LOGIN` from `111.222.333.444` [Thu Dec 17 14:25:34.000000 2015] wordpress(`SERVER_HTTP_HOST`) Pingback error `IXR_ERROR_CODE` generated on [`WORDPRESS_SITE_NAME`] from `111.222.333.444` = fail2ban configuration = See the FAQ section == Installation == = Minimum Requirements = * WordPress 3.5 or greater * PHP version 4 or greater = Automatic installation = Automatic installation is the easiest option as WordPress handles the file transfers itself and you don't need to leave your web browser. To do an automatic install of "authentication and xmlrpc log writer", log in to your WordPress dashboard, navigate to the Plugins menu and click Add New. In the search field type "authentication and xmlrpc log writer" and click Search Plugins. Once you've found our plugin you can view details about it such as the the point release, rating and description. Most importantly of course, you can install it by simply clicking "Install Now". = Manual installation = 1. Upload `authentication-and-xmlrpc-log-writer.php` to the `/wp-content/plugins/` directory or install via zip 2. Activate the plugin through the 'Plugins' menu in WordPress == Frequently Asked Questions == = How can I configure the plugin? = You can defines the options in the first few lines of the file authentication-and-xmlrpc-log-writer.php * **SP4_ERROR_TYPE**: define the error type **Options:** SYSTEM -> write into SYSLOG; APACHE -> write into APCACHE ERROR LOG; CUSTOM -> write into log file defined into SP4_AUTHENTICATION_ERROR_LOG_PATH constant; * **SP4_AUTHENTICATION_ERROR_LOG_NAME**: error log file name ( only in CUSTOM mode ) e.g. sites_auth_errors.log * **SP4_AUTHENTICATION_ERROR_LOG_PATH**: error log file absolute path ( only in CUSTOM mode ) e.g. /your/error/path/logs/ * **SP4_AUTHENTICATION_ERROR_LOG_TIMEZONE**: time zone to use ( only if current_time() WP function not exists ) e.g. Europe/Rome = How can I configure fail2ban to work with this log? = 1. Create new filter called **wp-auth-and-xmlrpc.conf** into **/filter.d** path of fail2ban 2. Filter content: [Definition] failregex = ^.*Authentication failure on .* from .*$ ^.*Pingback error .* generated on .* from .*$ ignoreregex = 3. Create new jail called **wp-auth-and-xmlrpc.conf** into **/jail.d** path of fail2ban 4. Jail content: [wp-auth-and-xmlrpc] enabled = true logpath = /storage/www/logs/sites_auth_errors.log maxretry = 5 bantime = 600 findtime = 60 filter = wp-auth-and-xmlrpc action = %(action_mwl)s **logpath must exists before activate the jail and need to be the same used for this plugin** 5. Reload or restart `fail2ban` == Changelog == = 1.0.1 = * Added fail2ban config instructions to readme. = 1.0.0 = * Release version.