Integrate fail2ban with WordPress: Spam Log Plugin

Spam Log is a WordPress plugin that writes a log entry for every comment marked as spam. The log file is suitable for processing by fail2ban.

Recently, I’ve encountered some very aggressive WordPress spam bots. These bots post a new spam comment almost every minute for hours on end. Needless to say my spam queue is a mess. I wrote the following plugin to solve this problem.

What is Spam Log?

Spam Log is a simple WordPress plugin that logs a message every time a comment is marked as spam. Each log message includes the IP address of the poster and the comment’s ID. The log can easily be processed by fail2ban. fail2ban is a daemon that scans log files for misbehaving clients and bans them by IP address. Here is sample output generated by Spam Log:

2009-04-20 04:15:03 comment id=527 from host=83.233.30.32 marked as spam
2009-04-20 04:18:15 comment id=528 from host=83.233.30.32 marked as spam
2009-04-20 04:20:36 comment id=529 from host=83.233.30.32 marked as spam
2009-04-20 04:21:46 comment id=530 from host=83.233.30.32 marked as spam
2009-04-20 04:22:49 comment id=531 from host=83.233.30.32 marked as spam

Why use Spam Log and fail2ban if Akismet/wp-recaptcha/etc. is already catching all the spam?

  • Many spammers post 50+ comments a day from a single IP address. Even if every comment is correctly marked as spam, the volume alone means that you can’t easily monitor the spam queue for false positives. Spam Log and fail2ban should considerably reduce the total amount of spam.
  • Even if spam comments never appear on your blog, they still waste valuable resources on your server. Low-memory virtual servers need all available resources for serving legitimate users. Banning spammers at the firewall before they ever connect to your web server is very efficient.

Installation

Spam Log

  1. Upload the spam-log folder to the wp-content/plugins directory.
  2. Active the plugin through the WordPress Admin menu.
  3. Set the location of the spam log through Spam Log’s Options page in the WordPress Admin menu. By default, the location is set to wp-content/spam.log. The file or containing directory needs to be writeable by the user that the web server runs as. On Debian or Ubuntu systems, you can do the following:

$ sudo touch /path/to/spam.log
$ sudo chown www-data.www-data /path/to/spam.log

fail2ban Configuration

Create /etc/fail2ban/filter.d/spam-log.conf with the following contents:

[Definition]
failregex = ^\s*comment id=\d+ from host=<HOST> marked as spam$
ignoreregex =

Add the following lines to /etc/fail2ban/jail.local:

[spam-log]
enabled  = true
port     = http,https
filter   = spam-log
logpath  = /path/to/spam.log
maxretry = 5
findtime = 3600
bantime  = 86400

Change logpath to the path you set on Spam Log’s Options page. This configuration will ban an IP address for a day if it’s used to post 5 comments within an hour that are marked as spam. Warning: Some captcha plugins mark comments as spam when a user fails a captcha. Be careful decreasing maxretry if you’re using such a plugin as there’s a risk that you will ban legitimate users.

Download

spam-log-0.1.tar.gz
spam-log-0.1.zip

10 thoughts on “Integrate fail2ban with WordPress: Spam Log Plugin”

  1. Thanks for that great plugin!
    Using it with a lot of success so far!! :)

    Even tho I have one question about the usage:

    I am running more than one website on my server.
    How is it possible to add more than one spam-log to it?
    Right now the jail.conf points to one of the websites spam.log file.

    Can I just add another one of those into the jail.conf or won’t it work:

    [spam-log]
    enabled = true
    port = http,https
    filter = spam-log
    logpath = /path/to/spam.log
    maxretry = 5
    findtime = 3600
    bantime = 86400

    Thanks in advance,

    Joern

    1. I think that will work although I personally haven’t tried.

      You will probably have the change the name (“[spam-log]”) and the path to the log (“logpath = /path/to/spam.log”) for each separate entry in jail.conf.

      If you have any problems, post again and I can probably figure it out.

      Edit: Also, it looks fail2ban > 0.7 supports wildcards in the logpath directive. So, another options would be something like “logpath = /path/to/sites/*/spam.log” where * gets expanded to site1, site2, site3, etc.

      That might be easier depending on your directory structure and the number of sites.

      1. It works great!
        I chose the first option you wrote down and it works like a charm.
        Gonna try the wildcard-version too.

        Thanks a lot for your help!!

        I really appreciate it!

  2. I have a major problem with 300+ comment spam per day that is all caught by Akismet but preventing me from checking the spam folder for any legitimate comments.

    Question is: What if they are spoofing their IP address to match the IP address of the server my site is on? I can’t ban myself!

  3. I realize this is an older post, but still relevant! I just integrated this on my server, and it worked flawlessly. I also used wildcards in the jail.local for the logpath to target multiple log files at once. Awesome!

  4. Thanks for this, I’ve actually hacked it about a bit so that it logs to syslog (/var/log/messages), which a) means you get log rotation for free and b) makes the jail a little easier (only one file to check). I’m using the following (borrowed from the wp fail2ban plugin, which does this for failed logins).

    \openlog(‘wordpress(‘.$_SERVER[‘HTTP_HOST’].’)’,
    LOG_NDELAY|LOG_PID,
    LOG_USER);

    \syslog(LOG_NOTICE,’Comment id=’.$comment_id.’ marked as spam, posted from ‘.$comment->comment_author_IP);

    (Not, I’ve changed the log wording around a little so that the IP address is at the end, just because I prefer that when scanning the log visually).

Leave a Reply

Your email address will not be published.