WordPress xmlrpc.php bruteforce mitigation

Zzz · July 31, 2021, 8:40pm

With cpcmd config:get apache.evasive-wordpress-filter enabled I expected that POST requests would be significantly restricted. However in the access logs I am seeing that this is not the case - there are 19,000 successful xmlrpc.php post requests for today from this IP address:

119.29.142.151 mywebsite.org - [31/Jul/2021:08:03:32 -0500] "POST /xmlrpc.php HTTP/1.1" 200 206 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.29.142.151 mywebsite.org - [31/Jul/2021:08:03:34 -0500] "POST /xmlrpc.php HTTP/1.1" 200 206 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.29.142.151 mywebsite.org - [31/Jul/2021:08:03:35 -0500] "POST /xmlrpc.php HTTP/1.1" 200 206 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.29.142.151 mywebsite.org - [31/Jul/2021:08:03:37 -0500] "POST /xmlrpc.php HTTP/1.1" 200 206 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.29.142.151 mywebsite.org - [31/Jul/2021:08:03:39 -0500] "POST /xmlrpc.php HTTP/1.1" 200 206 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.29.142.151 mywebsite.org - [31/Jul/2021:08:03:51 -0500] "POST /xmlrpc.php HTTP/1.1" 200 206 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.29.142.151 mywebsite.org - [31/Jul/2021:08:03:56 -0500] "POST /xmlrpc.php HTTP/1.1" 200 206 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.29.142.151 mywebsite.org - [31/Jul/2021:08:03:57 -0500] "POST /xmlrpc.php HTTP/1.1" 200 206 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.29.142.151 mywebsite.org - [31/Jul/2021:08:04:26 -0500] "POST /xmlrpc.php HTTP/1.1" 200 206 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.29.142.151 mywebsite.org - [31/Jul/2021:08:04:27 -0500] "POST /xmlrpc.php HTTP/1.1" 200 206 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.29.142.151 mywebsite.org - [31/Jul/2021:08:04:32 -0500] "POST /xmlrpc.php HTTP/1.1" 200 206 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.29.142.151 mywebsite.org - [31/Jul/2021:08:04:35 -0500] "POST /xmlrpc.php HTTP/1.1" 200 206 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.29.142.151 mywebsite.org - [31/Jul/2021:08:04:36 -0500] "POST /xmlrpc.php HTTP/1.1" 200 206 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.29.142.151 mywebsite.org - [31/Jul/2021:08:04:37 -0500] "POST /xmlrpc.php HTTP/1.1" 200 206 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"

The error log shows 5 errors related to this IP address due to rejection related to server configuration. But the rest of the requests are successful.

Fortification is set to minimum for most of my wordpress installs since many plugins are incompatible with Max fortification - I’m not sure that this would have anything to do with the apache.evasive-wordpress-filter setting.

Zzz · July 31, 2021, 8:53pm

Here is some fail2ban activity surrounding this address - but I’m still not sure I understand how 19,000 requests would come through successfully with the restrictions in place
:

msaladna · July 31, 2021, 9:07pm

ipset list whitelist
ipset list ignorelist

Sounds like you’ve got that IP address whitelisted either in ipset or in iptables.

Zzz · July 31, 2021, 9:09pm

Name: whitelist
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 376
References: 1
Number of entries: 0
Members:

Name: ignorelist
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 376
References: 1
Number of entries: 0
Members:

msaladna · July 31, 2021, 9:15pm

Is there anything relevant in /var/log/fail2ban.log around the ban events?

grep -B5 -A5 119.29.142.151

You should be able to simulate a proper ban with,

fail2ban-client set evasive banip 1.2.3.4

Then the entry will appear in the f2b-evasive ipset,

ipset list f2b-evasive

Likewise trying to access the site via cURL would fail. There’s a remote possibility the attacker kept a TCP connection open and continued to spam requests. The above should help deduce what’s going on.

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED,DNAT would allow circumvention in such situation. If so a RST is needed to drop the connection once banned.

Do you see this pattern from other IP addresses or just 119.29.142.151?

You can temporarily ban your IP to reject HTTP connections to confirm. To remove the ban, fail2ban-client set evasive unbanip 1.2.3.4

Zzz · July 31, 2021, 9:29pm

I didn’t see any related events surrounding those ban events. It is not just isolated to that IP address.

Here is the ipset f2b evasive output:

>>> ipset list f2b-evasive
Name: f2b-evasive
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536 timeout 0
Size in memory: 120
References: 1
Number of entries: 0
Members:

>>> fail2ban-client set evasive banip 1.2.3.4
1

>>>  ipset list f2b-evasive
Name: f2b-evasive
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536 timeout 0
Size in memory: 216
References: 1
Number of entries: 1
Members:
1.2.3.4 timeout 0

Zzz · July 31, 2021, 9:32pm

I’ll try testing with my own IP address to confirm that it is working. But, from what I can see that was the only address registered in the ipset which seems odd

Zzz · July 31, 2021, 9:34pm

What would you recommend for blocking period, etc? The settings seem pretty light.

I guess the ip 119.29.142.151 is on the rampart – blacklist. There are only 623 addresses registered on the rampart blacklist. Is there a way to create a more swift and permanent ban for these attackers?

msaladna · August 2, 2021, 12:42am

It’s a temporary 429 status that emits a log to /var/log/messages. fail2ban reads that and persists the ban if not whitelisted. That 10 second throttle only comes into play if the IP is whitelisted. You can make the duration longer, but that’s not the primary protection - fail2ban is.

For fail2ban, configure the evasive jail to set limits for how long those bans last (120 seconds, f2b_evasive_bantime) and how many times the limit has to be reached (1, f2b_evasive_maxretry). As for any violation, 5 repeats in a 12 hours results in a 10 day ban.

cpcmd scope:set f2b_recidive_bantime 2592000
upcp -sb fail2ban/configure-jails

For the connections that are exceeding the xmlrpc.php limit, do they all have the same user agent?

Zzz · August 2, 2021, 3:29am

For that particular IP address in the attack previously mentioned, it is using the same user agent.

There are other ones such as this that also repeatedly use the same agent:

82.102.18.50 mywebsite.org - [31/Jul/2021:14:25:51 -0500] "POST //xmlrpc.php HTTP/2.0" 200 225 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"

Thanks for all of the good f2b info, it is very helpful.

msaladna · August 2, 2021, 4:43pm

Give this a go from fail2ban/fail2ban #2107,

Edit /etc/fail2ban/action.d/firewallcmd-ipset.conf. Modify actionban to:

actionban = ipset add <ipmset> <ip> timeout <bantime> -exist
            ss --no-header --numeric --kill dst <ip>

systemctl restart fail2ban

Does that properly clip the connections? FWIW I found evidence of HTTP connections blazing through after exceeding the threshold in fail2ban as well.

Zzz · August 2, 2021, 6:08pm

Thanks for sharing your findings. I’ve made the change and will check on my logs later today to see if it clips it.

Zzz · August 2, 2021, 6:23pm

After making the previously mentioned change, I tried using evasive to manually ban an IP just to check if there was any change in functionality. I noticed that Number of entries: remains 0.

I reverted back to actionban = ipset add <ipmset> <ip> timeout <ipsettime> -exist and found that Number of entries: becomes 1 as expected.

I don’t have the bantime setting in that file. but I do have ipsettime. Should I use ipsettime instead?

msaladna · August 2, 2021, 6:56pm

Looks OK to me.

fail2ban-client get evasive actions
# The jail evasive has the following actions:
# firewallcmd-ipset-reset

fail2ban-client get evasive action firewallcmd-ipset-reset actionban
# ipset add <ipmset> <ip> timeout 0 -exist
# ss --no-header --numeric --kill dst <ip>
fail2ban-client set evasive banip 5.4.2.1
# 1
ipset list f2b-evasive | grep 5.4.2.1
# 5.4.2.1 timeout 0

firewallcmd-ipset-reset is an experimental action that I’m deploying locally. Roughly same process.

Zzz · August 2, 2021, 8:28pm

I am getting this error:

2021-08-02 15:13:32,025 fail2ban.filter         [770312]: INFO    [recidive] Found 5.4.2.1 - 2021-08-02 15:13:32
2021-08-02 15:13:32,031 fail2ban.utils          [770312]: ERROR   7fce43df9b70 -- exec: ipset add f2b-evasive 5.4.2.1 timeout 0 -exist ss --no-header --numeric --kill dst 5.4.2.1
2021-08-02 15:13:32,032 fail2ban.actions        [770312]: ERROR   Failed to execute ban jail 'evasive' action 'firewallcmd-ipset' info 'ActionInfo({'ip': '5.4.2.1', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x7fce43db61e0>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x7fce43db6840>})': Error banning 5.4.2.1
2021-08-02 15:15:32,312 fail2ban.actions        [770312]: NOTICE  [evasive] Unban 5.4.2.1

Zzz · August 2, 2021, 8:31pm

Oh, it is the newline before ss that I was missing…

msaladna · August 2, 2021, 8:34pm

Hop on edge if not already, cpcmd scope:set cp.update-policy edge-major. Then run upcp

It’ll deploy the new changes I’ve described above. Looks like things are working as expected,

2021-08-02 15:16:33,880 fail2ban.jail           [22978]: INFO    Creating new jail 'evasive'
2021-08-02 15:16:33,881 fail2ban.jail           [22978]: INFO    Jail 'evasive' uses Gamin {}
2021-08-02 15:16:37,283 fail2ban.jail           [22978]: INFO    Jail 'evasive' started
2021-08-02 16:09:13,973 fail2ban.filter         [22978]: INFO    [evasive] Found 130.61.48.158 - 2021-08-02 16:09:12
2021-08-02 16:09:14,175 fail2ban.actions        [22978]: NOTICE  [evasive] Ban 130.61.48.158
2021-08-02 16:11:12,450 fail2ban.actions        [22978]: NOTICE  [evasive] Unban 130.61.48.158

/home/virtual/domain.com/var/log/httpd/access_log:130.61.48.158 domain.com - [02/Aug/2021:16:09:07 -0400] "GET / HTTP/1.1" 302 211 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36"
/home/virtual/domain.com/var/log/httpd/access_log:130.61.48.158 domain.com - [02/Aug/2021:16:09:08 -0400] "GET / HTTP/1.1" 200 16467 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36"
/home/virtual/domain.com/var/log/httpd/access_log:130.61.48.158 domain.com - [02/Aug/2021:16:09:08 -0400] "GET //wp-includes/wlwmanifest.xml HTTP/1.1" 200 1045 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36"
/home/virtual/domain.com/var/log/httpd/access_log:130.61.48.158 domain.com - [02/Aug/2021:16:09:09 -0400] "GET //?author=1 HTTP/1.1" 301 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36"
/home/virtual/domain.com/var/log/httpd/access_log:130.61.48.158 domain.com - [02/Aug/2021:16:09:09 -0400] "GET //?author=2 HTTP/1.1" 301 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36"
/home/virtual/domain.com/var/log/httpd/access_log:130.61.48.158 domain.com - [02/Aug/2021:16:09:09 -0400] "GET //?author=3 HTTP/1.1" 301 - "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36"
/home/virtual/domain.com/var/log/httpd/access_log:130.61.48.158 domain.com - [02/Aug/2021:16:09:09 -0400] "GET //wp-json/wp/v2/users/ HTTP/1.1" 200 318 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36"
/home/virtual/domain.com/var/log/httpd/access_log:130.61.48.158 domain.com - [02/Aug/2021:16:09:10 -0400] "POST //xmlrpc.php HTTP/1.1" 200 447 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36"
/home/virtual/domain.com/var/log/httpd/access_log:130.61.48.158 domain.com - [02/Aug/2021:16:09:11 -0400] "POST //xmlrpc.php HTTP/1.1" 200 447 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36"
/home/virtual/domain.com/var/log/httpd/access_log:130.61.48.158 domain.com - [02/Aug/2021:16:09:11 -0400] "POST //xmlrpc.php HTTP/1.1" 200 447 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36"
/home/virtual/domain.com/var/log/httpd/access_log:130.61.48.158 domain.com - [02/Aug/2021:16:09:12 -0400] "POST //xmlrpc.php HTTP/1.1" 200 447 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36"
/home/virtual/domain.com/var/log/httpd/access_log:130.61.48.158 domain.com - [02/Aug/2021:16:09:12 -0400] "POST //xmlrpc.php HTTP/1.1" 403 199 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4240.193 Safari/537.36"

Zzz · August 2, 2021, 10:16pm

I’m digging into my logs now. A bot is continuously getting requests through in this way using 301 redirects from the “www”:

An occasional 403 pops up, but the users requests seem to be flowing through without any issue.

119.45.240.155 www.domain.org - [02/Aug/2021:17:05:51 -0500] "POST /xmlrpc.php HTTP/1.1" 301 - "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.240.155 www.domain.org - [02/Aug/2021:17:05:23 -0500] "POST /xmlrpc.php HTTP/1.1" 301 - "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.240.155 www.domain.org - [02/Aug/2021:17:05:23 -0500] "POST /xmlrpc.php HTTP/1.1" 301 - "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.240.155 www.domain.org - [02/Aug/2021:17:05:24 -0500] "POST /xmlrpc.php HTTP/1.1" 301 - "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.240.155 www.domain.org - [02/Aug/2021:17:05:24 -0500] "POST /xmlrpc.php HTTP/1.1" 403 199 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.240.155 www.domain.org - [02/Aug/2021:17:05:27 -0500] "POST /xmlrpc.php HTTP/1.1" 301 - "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.240.155 www.domain.org - [02/Aug/2021:17:05:39 -0500] "POST /xmlrpc.php HTTP/1.1" 301 - "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.240.155 www.domain.org - [02/Aug/2021:17:05:40 -0500] "POST /xmlrpc.php HTTP/1.1" 301 - "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.240.155 www.domain.org - [02/Aug/2021:17:05:41 -0500] "POST /xmlrpc.php HTTP/1.1" 301 - "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.240.155 www.domain.org - [02/Aug/2021:17:05:44 -0500] "POST /xmlrpc.php HTTP/1.1" 301 - "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.240.155 www.domain.org - [02/Aug/2021:17:05:46 -0500] "POST /xmlrpc.php HTTP/1.1" 301 - "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.240.155 www.domain.org - [02/Aug/2021:17:05:49 -0500] "POST /xmlrpc.php HTTP/1.1" 301 - "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.240.155 www.domain.org - [02/Aug/2021:17:05:52 -0500] "POST /xmlrpc.php HTTP/1.1" 301 - "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.240.155 www.domain.org - [02/Aug/2021:17:05:53 -0500] "POST /xmlrpc.php HTTP/1.1" 301 - "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.240.155 www.domain.org - [02/Aug/2021:17:05:53 -0500] "POST /xmlrpc.php HTTP/1.1" 301 - "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.240.155 www.domain.org - [02/Aug/2021:17:05:54 -0500] "POST /xmlrpc.php HTTP/1.1" 301 - "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.240.155 www.domain.org - [02/Aug/2021:17:06:01 -0500] "POST /xmlrpc.php HTTP/1.1" 301 - "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.240.155 www.domain.org - [02/Aug/2021:17:06:06 -0500] "POST /xmlrpc.php HTTP/1.1" 301 - "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.240.155 www.domain.org - [02/Aug/2021:17:06:07 -0500] "POST /xmlrpc.php HTTP/1.1" 301 - "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.240.155 www.domain.org - [02/Aug/2021:17:06:11 -0500] "POST /xmlrpc.php HTTP/1.1" 301 - "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.240.155 www.domain.org - [02/Aug/2021:17:06:12 -0500] "POST /xmlrpc.php HTTP/1.1" 301 - "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.240.155 www.domain.org - [02/Aug/2021:17:06:13 -0500] "POST /xmlrpc.php HTTP/1.1" 301 - "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.240.155 www.domain.org - [02/Aug/2021:17:06:15 -0500] "POST /xmlrpc.php HTTP/1.1" 301 - "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.240.155 www.domain.org - [02/Aug/2021:17:06:18 -0500] "POST /xmlrpc.php HTTP/1.1" 301 - "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.240.155 www.domain.org - [02/Aug/2021:17:06:26 -0500] "POST /xmlrpc.php HTTP/1.1" 301 - "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.240.155 www.domain.org - [02/Aug/2021:17:06:27 -0500] "POST /xmlrpc.php HTTP/1.1" 301 - "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.240.155 www.domain.org - [02/Aug/2021:17:03:19 -0500] "POST /xmlrpc.php HTTP/1.1" 301 - "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.240.155 www.domain.org - [02/Aug/2021:17:03:21 -0500] "POST /xmlrpc.php HTTP/1.1" 301 - "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.240.155 www.domain.org - [02/Aug/2021:17:03:22 -0500] "POST /xmlrpc.php HTTP/1.1" 301 - "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.240.155 www.domain.org - [02/Aug/2021:17:03:25 -0500] "POST /xmlrpc.php HTTP/1.1" 301 - "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.240.155 www.domain.org - [02/Aug/2021:17:03:27 -0500] "POST /xmlrpc.php HTTP/1.1" 301 - "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.240.155 www.domain.org - [02/Aug/2021:17:03:28 -0500] "POST /xmlrpc.php HTTP/1.1" 301 - "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.240.155 www.domain.org - [02/Aug/2021:17:03:38 -0500] "POST /xmlrpc.php HTTP/1.1" 301 - "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.240.155 www.domain.org - [02/Aug/2021:17:03:55 -0500] "POST /xmlrpc.php HTTP/1.1" 301 - "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.240.155 www.domain.org - [02/Aug/2021:17:03:56 -0500] "POST /xmlrpc.php HTTP/1.1" 301 - "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.240.155 www.domain.org - [02/Aug/2021:17:03:58 -0500] "POST /xmlrpc.php HTTP/1.1" 301 - "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.240.155 www.domain.org - [02/Aug/2021:17:04:00 -0500] "POST /xmlrpc.php HTTP/1.1" 301 - "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.240.155 www.domain.org - [02/Aug/2021:17:04:00 -0500] "POST /xmlrpc.php HTTP/1.1" 301 - "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.240.155 www.domain.org - [02/Aug/2021:17:04:02 -0500] "POST /xmlrpc.php HTTP/1.1" 301 - "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.240.155 www.domain.org - [02/Aug/2021:17:04:17 -0500] "POST /xmlrpc.php HTTP/1.1" 301 - "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.240.155 www.domain.org - [02/Aug/2021:17:04:49 -0500] "POST /xmlrpc.php HTTP/1.1" 301 - "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.240.155 www.domain.org - [02/Aug/2021:17:04:53 -0500] "POST /xmlrpc.php HTTP/1.1" 301 - "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.240.155 www.domain.org - [02/Aug/2021:17:05:16 -0500] "POST /xmlrpc.php HTTP/1.1" 301 - "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.240.155 www.domain.org - [02/Aug/2021:17:05:26 -0500] "POST /xmlrpc.php HTTP/1.1" 301 - "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.240.155 www.domain.org - [02/Aug/2021:17:05:26 -0500] "POST /xmlrpc.php HTTP/1.1" 301 - "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.240.155 www.domain.org - [02/Aug/2021:17:05:55 -0500] "POST /xmlrpc.php HTTP/1.1" 301 - "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.240.155 www.domain.org - [02/Aug/2021:17:05:57 -0500] "POST /xmlrpc.php HTTP/1.1" 301 - "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.240.155 www.domain.org - [02/Aug/2021:17:05:58 -0500] "POST /xmlrpc.php HTTP/1.1" 301 - "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.240.155 www.domain.org - [02/Aug/2021:17:05:58 -0500] "POST /xmlrpc.php HTTP/1.1" 301 - "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.240.155 www.domain.org - [02/Aug/2021:17:06:08 -0500] "POST /xmlrpc.php HTTP/1.1" 301 - "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"
119.45.240.155 www.domain.org - [02/Aug/2021:17:06:24 -0500] "POST /xmlrpc.php HTTP/1.1" 301 - "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_151)"

Here are the f2b logs for this IP:

2021-08-02 16:43:13,279 fail2ban.filter         [791518]: INFO    [recidive] Found 119.45.240.155 - 2021-08-02 16:43:13
2021-08-02 16:44:13,185 fail2ban.actions        [791518]: NOTICE  [evasive] Unban 119.45.240.155
2021-08-02 16:44:13,529 fail2ban.actions        [791518]: NOTICE  [recidive] Unban 119.45.240.155
2021-08-02 16:44:15,583 fail2ban.actions        [794198]: NOTICE  [evasive] Restore Ban 119.45.240.155
2021-08-02 16:44:17,590 fail2ban.actions        [794198]: NOTICE  [recidive] Restore Ban 119.45.240.155
2021-08-02 16:45:12,300 fail2ban.actions        [794198]: NOTICE  [evasive] Unban 119.45.240.155
2021-08-02 16:45:13,019 fail2ban.filter         [794198]: INFO    [evasive] Found 119.45.240.155 - 2021-08-02 16:45:12
2021-08-02 16:45:13,511 fail2ban.actions        [794198]: NOTICE  [evasive] Ban 119.45.240.155
2021-08-02 16:45:13,517 fail2ban.filter         [794198]: INFO    [recidive] Found 119.45.240.155 - 2021-08-02 16:45:13
2021-08-02 16:46:35,452 fail2ban.filter         [794198]: INFO    [evasive] Found 119.45.240.155 - 2021-08-02 16:46:34
2021-08-02 16:46:35,635 fail2ban.actions        [794198]: WARNING [evasive] 119.45.240.155 already banned
2021-08-02 16:48:34,387 fail2ban.actions        [794198]: NOTICE  [evasive] Unban 119.45.240.155
2021-08-02 16:50:06,229 fail2ban.filter         [794198]: INFO    [evasive] Found 119.45.240.155 - 2021-08-02 16:50:05
2021-08-02 16:50:06,317 fail2ban.actions        [794198]: NOTICE  [evasive] Ban 119.45.240.155
2021-08-02 16:50:06,340 fail2ban.filter         [794198]: INFO    [recidive] Found 119.45.240.155 - 2021-08-02 16:50:06
2021-08-02 16:51:41,881 fail2ban.filter         [794198]: INFO    [evasive] Found 119.45.240.155 - 2021-08-02 16:51:41
2021-08-02 16:51:42,283 fail2ban.actions        [794198]: WARNING [evasive] 119.45.240.155 already banned
2021-08-02 16:53:00,229 fail2ban.filter         [794198]: INFO    [evasive] Found 119.45.240.155 - 2021-08-02 16:52:59
2021-08-02 16:53:00,782 fail2ban.actions        [794198]: WARNING [evasive] 119.45.240.155 already banned
2021-08-02 16:53:26,979 fail2ban.filter         [794198]: INFO    [evasive] Found 119.45.240.155 - 2021-08-02 16:53:26
2021-08-02 16:53:27,018 fail2ban.actions        [794198]: WARNING [evasive] 119.45.240.155 already banned
2021-08-02 16:55:17,296 fail2ban.filter         [794198]: INFO    [evasive] Found 119.45.240.155 - 2021-08-02 16:55:16
2021-08-02 16:55:17,577 fail2ban.actions        [794198]: WARNING [evasive] 119.45.240.155 already banned
2021-08-02 16:56:49,366 fail2ban.filter         [794198]: INFO    [evasive] Found 119.45.240.155 - 2021-08-02 16:56:48
2021-08-02 16:56:49,919 fail2ban.actions        [794198]: WARNING [evasive] 119.45.240.155 already banned
2021-08-02 16:58:48,269 fail2ban.actions        [794198]: NOTICE  [evasive] Unban 119.45.240.155
2021-08-02 17:00:09,489 fail2ban.filter         [794198]: INFO    [evasive] Found 119.45.240.155 - 2021-08-02 17:00:08
2021-08-02 17:00:09,582 fail2ban.actions        [794198]: NOTICE  [evasive] Ban 119.45.240.155
2021-08-02 17:00:09,589 fail2ban.filter         [794198]: INFO    [recidive] Found 119.45.240.155 - 2021-08-02 17:00:09
2021-08-02 17:02:08,346 fail2ban.actions        [794198]: NOTICE  [evasive] Unban 119.45.240.155
2021-08-02 17:02:11,387 fail2ban.filter         [794198]: INFO    [evasive] Found 119.45.240.155 - 2021-08-02 17:02:10
2021-08-02 17:02:11,559 fail2ban.actions        [794198]: NOTICE  [evasive] Ban 119.45.240.155
2021-08-02 17:02:11,564 fail2ban.filter         [794198]: INFO    [recidive] Found 119.45.240.155 - 2021-08-02 17:02:11
2021-08-02 17:04:10,334 fail2ban.actions        [794198]: NOTICE  [evasive] Unban 119.45.240.155
2021-08-02 17:05:23,151 fail2ban.filter         [794198]: INFO    [evasive] Found 119.45.240.155 - 2021-08-02 17:05:22
2021-08-02 17:05:23,648 fail2ban.actions        [794198]: NOTICE  [evasive] Ban 119.45.240.155
2021-08-02 17:05:23,653 fail2ban.filter         [794198]: INFO    [recidive] Found 119.45.240.155 - 2021-08-02 17:05:23
2021-08-02 17:05:23,761 fail2ban.actions        [794198]: WARNING [recidive] 119.45.240.155 already banned
2021-08-02 17:07:22,019 fail2ban.actions        [794198]: NOTICE  [evasive] Unban 119.45.240.155
2021-08-02 17:09:47,156 fail2ban.filter         [794198]: INFO    [evasive] Found 119.45.240.155 - 2021-08-02 17:09:46
2021-08-02 17:09:47,412 fail2ban.actions        [794198]: NOTICE  [evasive] Ban 119.45.240.155
2021-08-02 17:09:47,417 fail2ban.filter         [794198]: INFO    [recidive] Found 119.45.240.155 - 2021-08-02 17:09:47
2021-08-02 17:10:07,934 fail2ban.filter         [794198]: INFO    [evasive] Found 119.45.240.155 - 2021-08-02 17:10:07
2021-08-02 17:10:08,053 fail2ban.actions        [794198]: NOTICE  [evasive] 119.45.240.155 already banned
2021-08-02 17:12:07,207 fail2ban.actions        [794198]: NOTICE  [evasive] Unban 119.45.240.155
2021-08-02 17:12:34,229 fail2ban.filter         [794198]: INFO    [evasive] Found 119.45.240.155 - 2021-08-02 17:12:33
2021-08-02 17:12:34,452 fail2ban.actions        [794198]: NOTICE  [evasive] Ban 119.45.240.155
2021-08-02 17:12:34,457 fail2ban.filter         [794198]: INFO    [recidive] Found 119.45.240.155 - 2021-08-02 17:12:34
2021-08-02 17:13:03,361 fail2ban.filter         [794198]: INFO    [evasive] Found 119.45.240.155 - 2021-08-02 17:13:02
2021-08-02 17:13:03,801 fail2ban.actions        [794198]: NOTICE  [evasive] 119.45.240.155 already banned
2021-08-02 17:15:02,150 fail2ban.actions        [794198]: NOTICE  [evasive] Unban 119.45.240.155

msaladna · August 2, 2021, 10:17pm

Just to confirm, what do the following commands report?

fail2ban-client get evasive actions
fail2ban-client get evasive action firewallcmd-ipset-reset actionban

Zzz · August 2, 2021, 10:19pm

>>> fail2ban-client get evasive actions

The jail evasive has the following actions:
firewallcmd-ipset-reset

>>> fail2ban-client get evasive action firewallcmd-ipset-reset actionban

ipset add <ipmset> <ip> timeout 0 -exist
ss --no-header --numeric --kill dst <ip>
ss --no-header --numeric --kill dst <ip>

I don’t know if this is helpful, but I set the variables for recidive_maxretry, etc manually since I found that they were not set when I attempted cpcmd scope:get cp.bootstrapper f2b_recidive_findtime. See below:

>>> cpcmd scope:get cp.bootstrapper f2b_recidive_findtime
null
>>> cpcmd scope:set cp.bootstrapper f2b_recidive_findtime 86400
INFO    : Setting variable `f2b_recidive_findtime'. Previous not present in apnscp-vars-runtime.yml.
----------------------------------------
MESSAGE SUMMARY
Reporter level: OK
INFO: Setting variable `f2b_recidive_findtime'. Previous not present in apnscp-vars-runtime.yml.
----------------------------------------
1

And then I executed upcp -sb fail2ban/configure-jails and restarted f2b.