diff --git a/0.10.2/filter.d/wordpress-hard.conf b/0.10.2/filter.d/wordpress-hard.conf new file mode 100644 index 0000000..8b9b7bd --- /dev/null +++ b/0.10.2/filter.d/wordpress-hard.conf @@ -0,0 +1,27 @@ +# Fail2Ban filter for WordPress hard failures +# Auto-generated: 2018-11-04T16:40:53+00:00 +# + +[INCLUDES] + +before = common.conf + +[Definition] + +_daemon = (?:wordpress|wp) + +failregex = ^%(__prefix_line)sBlocked authentication attempt for .* from $ + ^%(__prefix_line)sBlocked user enumeration attempt from $ + ^%(__prefix_line)sSpam comment \d+ from $ + ^%(__prefix_line)sXML-RPC multicall authentication failure from $ + ^%(__prefix_line)sPingback error .* generated from $ + ^%(__prefix_line)sAuthentication attempt for unknown user .* from $ + ^%(__prefix_line)sXML-RPC authentication attempt for unknown user .* from $ + +ignoreregex = + +# DEV Notes: +# Requires the 'WP fail2ban' plugin: +# https://github.com/invisnet/wp-fail2ban/ +# +# Author: Charles Lecklider diff --git a/0.10.2/filter.d/wordpress-soft.conf b/0.10.2/filter.d/wordpress-soft.conf new file mode 100644 index 0000000..37e0307 --- /dev/null +++ b/0.10.2/filter.d/wordpress-soft.conf @@ -0,0 +1,22 @@ +# Fail2Ban filter for WordPress soft failures +# Auto-generated: 2018-11-04T16:40:53+00:00 +# + +[INCLUDES] + +before = common.conf + +[Definition] + +_daemon = (?:wordpress|wp) + +failregex = ^%(__prefix_line)sAuthentication failure for .* from $ + ^%(__prefix_line)sXML-RPC authentication failure for .* from $ + +ignoreregex = + +# DEV Notes: +# Requires the 'WP fail2ban' plugin: +# https://github.com/invisnet/wp-fail2ban/ +# +# Author: Charles Lecklider diff --git a/0.10.2/jail.local b/0.10.2/jail.local index 3b51a43..4bbddc1 100644 --- a/0.10.2/jail.local +++ b/0.10.2/jail.local @@ -63,7 +63,7 @@ enabled = true [postfix-sasl] -enabled = true +enabled = false # - Take care to allowh 'whois' requests from this mashine. Maybe # - you have configure your firewall action = %(action_mwl)s @@ -76,7 +76,7 @@ bantime = 3600 [postfix-sasl-dos] -enabled = true +enabled = false # - Take care to allowh 'whois' requests from this mashine. Maybe # - you have configure your firewall action = %(action_mwl)s @@ -92,7 +92,7 @@ bantime = 10800 [dovecot] -enabled = true +enabled = false # - Take care to allowh 'whois' requests from this mashine. Maybe # - you have configure your firewall action = %(action_mwl)s @@ -107,26 +107,39 @@ findtime = 1200 bantime = 1800 -[wp-login] -enabled = true -action = %(action_mbu)s -filter = wp-login -port = http,https -logpath = /var/log/apache2/ipv4_requests.log - /var/log/apache2/ip_requests.log -maxretry = 10 -findtime = 600 -bantime = 10800 +# - Replaced with 'wordpress-hard' and 'wordpress-soft' +#[wp-login] +#enabled = false +#action = %(action_mbu)s +#filter = wp-login +#port = http,https +#logpath = /var/log/apache2/ip_requests.log +#maxretry = 10 +#findtime = 600 +#bantime = 10800 +# +# +#[wp-xmlrpc] +#enabled = false +#action = %(action_mbu)s +#filter = wp-xmlrpc +#port = http,https +#logpath = /var/log/apache2/ip_requests.log +#maxretry = 5 +#findtime = 600 +#bantime = 10800 -[wp-xmlrpc] -enabled = true -action = %(action_mbu)s -filter = wp-xmlrpc -port = http,https -logpath = /var/log/apache2/ipv4_requests.log - /var/log/apache2/ip_requests.log -maxretry = 5 -findtime = 600 -bantime = 10800 +[wordpress-hard] +enabled = false +filter = wordpress-hard +logpath = /var/log/auth.log +maxretry = 1 +port = http,https +[wordpress-soft] +enabled = false +filter = wordpress-soft +logpath = /var/log/auth.log +maxretry = 3 +port = http,https