I am just wondering if this is really the “ideal” way to handle things, seeing that the connections are made to wordpress, PHP gets loaded and then the plugin says “captcha” or “block”.
Would it not be more resource friendly to use a plugin like this one: WP fail2ban – Advanced Security Plugin – WordPress plugin | WordPress.org which simply logs all login attempts – including via XML-RPC, whether successful or not, to syslog using LOG_AUTH and then have a crowdsec parser check the logs and handle it with any bouncer you like?
The benefit of the second method is that if an IP is blocked, there won’t be any traffic as the blacklisted IP will be blocked before it even hits PHP.
I was using the method I described with fail2ban before I discovered crowdsec so I was wondering if this method sounds like something you might implement in your plugin - i.e. enable logging to syslog + wordpress parser? This way one could chose between the methods?
There are already bouncers to do that.
The advantage of the wordpress bouncer is to be able to ask for a captcha and to not completly block the IP.
The other advantage is if you are behind a proxy / loadbalancer and you can’t block directly on the front server. Then blocking on the firewall is not possible, but you can use the wordpress bouncer.
To make it simple.
You want / can block on the firewall, use the firewall-bouncer.
You cant / don’t want to block on the firewall, you want to ask for a captcha, use the wordpress bouncer.
OK, sure, but to keep using another bouncer I still need a plugin like I linked to so that wordpress logs authentications to syslog.
Will the existing parsers pick those logs up? Which one exactly?
Apparently those logs would look like this:
Oct 17 20:59:54 foobar wordpress(www.example.com)[1234]: Authentication failure for admin from 192.168.0.1
Oct 17 21:00:00 foobar wordpress(www.example.com)[2345]: Accepted password for admin from 192.168.0.1
The wordpress plugin is a bouncer, not a parser…
He will connect to your local api to get the IP to block.
And to build that list you need to install crowdsec with the wordpress collection/scenario.
The crowdsec scenarios for WP read the apache logs and try to find too many POST on wp-login.php
I use the plugin I mentioned which logs authentication failures to syslog. Is there a parser which could pick those up as I wish to NOT use the crowdsec WP plugin and instead use the default crowdsec bouncer.
Of course if would be awesome if the official crowdsec WP plugin could also add the functionality to log login failures to syslog as an option
I cannot give a timeline yet because the web team is focused on other topics, but yes we want to add to add logging features to crowdsec’s WP plugin, so that it can help detect more attacks that what we can do from simply crunching logs.
If you have some more specific ideas in mind, please don’t hesitate, suggestions are welcome
