WordPress – Fail2Ban Not Banning on CentOS 7 with SELinux

On a LEMP stack with WordPress and the WP fail2ban plugin, WordPress authentication issues get logged to /var/log/messages perfectly fine.

$ sudo fail2ban-client version
0.9.2

In the last couple of days I get about 25K of these lines in there, some brute force attempt from Sweden:

Aug 17 10:48:58 ip-172-1-6-5 wordpress(mydomain.com)[29203]: Blocked authentication attempt for mydomain from 217.70.32.9
Aug 17 10:48:58 ip-172-1-6-5 wordpress(mydomain.com)[29204]: Blocked authentication attempt for mydomain from 217.70.32.9
Aug 17 10:48:58 ip-172-1-6-5 wordpress(mydomain.com)[29796]: Blocked authentication attempt for mydomain from 217.70.32.9
Aug 17 10:48:58 ip-172-1-6-5 wordpress(mydomain.com)[29203]: Blocked authentication attempt for mydomain from 217.70.32.9
Aug 17 10:48:58 ip-172-1-6-5 wordpress(mydomain.com)[29204]: Blocked authentication attempt for mydomain from 217.70.32.9

The wordpress.conf jail has been enabled and the regexp test works:

$ sudo fail2ban-regex /var/log/messages /etc/fail2ban/filter.d/wordpress.conf

Failregex: 25865 total
|-  #) [# of hits] regular expression
|   1) [180] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?wordpress(?:\(\S+\))?[\]\)]?:?|[\[\(]?wordpress(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*Authentication failure for .* from <HOST>$
|   2) [25685] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?wordpress(?:\(\S+\))?[\]\)]?:?|[\[\(]?wordpress(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*Blocked authentication attempt for .* from <HOST>$

However, none get banned.

$ sudo fail2ban-client status wordpress
Status for the jail: wordpress
|- Filter
|  |- Currently failed: 0
|  |- Total failed: 0
|  `- File list:    /var/log/messages
`- Actions
   |- Currently banned: 0
   |- Total banned: 0
   `- Banned IP list:

Confirming firewalld knows about this:

$ sudo ipset list

Name: fail2ban-wordpress
Type: hash:ip
Revision: 1
Header: family inet hashsize 1024 maxelem 65536 timeout 3600
Size in memory: 16528
References: 1
Members:

From jail.local

bantime  = 3600
findtime  = 600
banaction = firewallcmd-ipset

# Protect agains WP Login bruteforce attemps via
# https://wordpress.org/plugins/wp-fail2ban/installation/

[wordpress]

port     = http,https
logpath  = /var/log/messages
maxretry = 3
enabled = true

Note how above we get 5 retry attempts within one second, which should of course trigger a ban.

I see no worrying denied messages in /var/log/audit/audit.log regarding SELinux preventing this from working though I'm far from an expert on SELinux.

The logging works. The regex works. Fail2Ban runs. The jail has been enabled. Firewalld is expecting things. But nothing is happening.

Manually banning it works too:

$ sudo fail2ban-client set wordpress banip 217.70.32.9

$ sudo fail2ban-client status wordpress
Status for the jail: wordpress
|- Filter
|  |- Currently failed: 0
|  |- Total failed: 3
|  `- File list:    /var/log/messages
`- Actions
   |- Currently banned: 1
   |- Total banned: 1
   `- Banned IP list:   217.70.32.9

$ sudo ipset list
Name: fail2ban-wordpress
Type: hash:ip
Revision: 1
Header: family inet hashsize 1024 maxelem 65536 timeout 3600
Size in memory: 16592
References: 1
Members:
217.70.32.9 timeout 3457

This appears to confirm my jail.local is being loaded:

$ sudo fail2ban-client status
Status
|- Number of jail:  6
`- Jail list:   1, 2, 3, 4, 5, wordpress

I was using backend polling, but I am now running Gamin. Setting Fail2Ban loglevel to debug, this appears to work when I wrongly log in myself:

2015-08-18 22:57:52,874 fail2ban.filtergamin    [29664]: DEBUG   File changed: /var/log/messages

The regex checker keeps increasing its matches too. But still, I can do that 20 times in 2 minutes without getting banned…

Where should I look next?