Add filter for wordpress from wp-fail2ban.readthedocs.io/en/3.6/filters.html. Modify jail.local.

2018-11-23 16:53:26 +01:00 · 2018-11-23 16:53:26 +01:00 · 61d02b0f84
commit 61d02b0f84
parent 34758ef63a
3 changed files with 85 additions and 23 deletions
--- a/0.10.2/filter.d/wordpress-hard.conf
+++ b/0.10.2/filter.d/wordpress-hard.conf
@ -0,0 +1,27 @@
+# Fail2Ban filter for WordPress hard failures
+# Auto-generated: 2018-11-04T16:40:53+00:00
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = (?:wordpress|wp)
+
+failregex = ^%(__prefix_line)sBlocked authentication attempt for .* from <HOST>$
+            ^%(__prefix_line)sBlocked user enumeration attempt from <HOST>$
+            ^%(__prefix_line)sSpam comment \d+ from <HOST>$
+            ^%(__prefix_line)sXML-RPC multicall authentication failure from <HOST>$
+            ^%(__prefix_line)sPingback error .* generated from <HOST>$
+            ^%(__prefix_line)sAuthentication attempt for unknown user .* from <HOST>$
+            ^%(__prefix_line)sXML-RPC authentication attempt for unknown user .* from <HOST>$
+
+ignoreregex =
+
+# DEV Notes:
+# Requires the 'WP fail2ban' plugin:
+# https://github.com/invisnet/wp-fail2ban/
+#
+# Author: Charles Lecklider
--- a/0.10.2/filter.d/wordpress-soft.conf
+++ b/0.10.2/filter.d/wordpress-soft.conf
@ -0,0 +1,22 @@
+# Fail2Ban filter for WordPress soft failures
+# Auto-generated: 2018-11-04T16:40:53+00:00
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = (?:wordpress|wp)
+
+failregex = ^%(__prefix_line)sAuthentication failure for .* from <HOST>$
+            ^%(__prefix_line)sXML-RPC authentication failure for .* from <HOST>$
+
+ignoreregex =
+
+# DEV Notes:
+# Requires the 'WP fail2ban' plugin:
+# https://github.com/invisnet/wp-fail2ban/
+#
+# Author: Charles Lecklider
--- a/0.10.2/jail.local
+++ b/0.10.2/jail.local
@ -63,7 +63,7 @@ enabled  = true

 [postfix-sasl]

-enabled  = true
+enabled  = false
 # - Take care to allowh 'whois' requests from this mashine. Maybe
 # - you have configure your firewall
 action   = %(action_mwl)s
@ -76,7 +76,7 @@ bantime  = 3600

 [postfix-sasl-dos]

-enabled  = true
+enabled  = false
 # - Take care to allowh 'whois' requests from this mashine. Maybe
 # - you have configure your firewall
 action   = %(action_mwl)s
@ -92,7 +92,7 @@ bantime  = 10800

 [dovecot]

-enabled  = true
+enabled  = false
 # - Take care to allowh 'whois' requests from this mashine. Maybe
 # - you have configure your firewall
 action   = %(action_mwl)s
@ -107,26 +107,39 @@ findtime = 1200
 bantime  = 1800


-[wp-login]
-enabled  = true
-action   = %(action_mbu)s
-filter   = wp-login
+# - Replaced with 'wordpress-hard' and 'wordpress-soft'
+#[wp-login]
+#enabled  = false
+#action   = %(action_mbu)s
+#filter   = wp-login
+#port     = http,https
+#logpath  = /var/log/apache2/ip_requests.log
+#maxretry = 10
+#findtime = 600
+#bantime  = 10800
+#
+#
+#[wp-xmlrpc]
+#enabled  = false
+#action   = %(action_mbu)s
+#filter   = wp-xmlrpc
+#port     = http,https
+#logpath  = /var/log/apache2/ip_requests.log
+#maxretry = 5
+#findtime = 600
+#bantime  = 10800
+
+
+[wordpress-hard]
+enabled = false
+filter = wordpress-hard
+logpath = /var/log/auth.log
+maxretry = 1
 port = http,https
-logpath  = /var/log/apache2/ipv4_requests.log
-           /var/log/apache2/ip_requests.log
-maxretry = 10
-findtime = 600
-bantime  = 10800

-
-[wp-xmlrpc]
-enabled  = true
-action   = %(action_mbu)s
-filter   = wp-xmlrpc
+[wordpress-soft]
+enabled = false
+filter = wordpress-soft
+logpath = /var/log/auth.log
+maxretry = 3
 port = http,https
-logpath  = /var/log/apache2/ipv4_requests.log
-           /var/log/apache2/ip_requests.log
-maxretry = 5
-findtime = 600
-bantime  = 10800
-