From dc048a6d886671b273c153f802952c90dbae84a1 Mon Sep 17 00:00:00 2001 From: Christoph Date: Thu, 16 Mar 2023 10:04:56 +0100 Subject: [PATCH] adjust wordpress filter.. --- 0.10.2/filter.d/wordpress-hard.conf | 63 ++++++++++++++++------------- 0.10.2/filter.d/wordpress-soft.conf | 53 ++++++++++++++---------- 2 files changed, 67 insertions(+), 49 deletions(-) diff --git a/0.10.2/filter.d/wordpress-hard.conf b/0.10.2/filter.d/wordpress-hard.conf index 8b9b7bd..ba745d8 100644 --- a/0.10.2/filter.d/wordpress-hard.conf +++ b/0.10.2/filter.d/wordpress-hard.conf @@ -1,27 +1,36 @@ -# Fail2Ban filter for WordPress hard failures -# Auto-generated: 2018-11-04T16:40:53+00:00 -# - -[INCLUDES] - -before = common.conf - -[Definition] - -_daemon = (?:wordpress|wp) - -failregex = ^%(__prefix_line)sBlocked authentication attempt for .* from $ - ^%(__prefix_line)sBlocked user enumeration attempt from $ - ^%(__prefix_line)sSpam comment \d+ from $ - ^%(__prefix_line)sXML-RPC multicall authentication failure from $ - ^%(__prefix_line)sPingback error .* generated from $ - ^%(__prefix_line)sAuthentication attempt for unknown user .* from $ - ^%(__prefix_line)sXML-RPC authentication attempt for unknown user .* from $ - -ignoreregex = - -# DEV Notes: -# Requires the 'WP fail2ban' plugin: -# https://github.com/invisnet/wp-fail2ban/ -# -# Author: Charles Lecklider +# Fail2Ban configuration file +# +# Author: Charles Lecklider 2012-2016 +# Author: Brandon Allen 2016-2019 +# + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + + +[Definition] + +_daemon = wp + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Values: TEXT +# +failregex = ^%(__prefix_line)sAuthentication attempt for unknown user .* from $ + ^%(__prefix_line)sBlocked authentication attempt for .* from $ + ^%(__prefix_line)sBlocked user enumeration attempt from $ + ^%(__prefix_line)sPingback error .* generated from $ + ^%(__prefix_line)sSpammed comment from $ + ^%(__prefix_line)sXML-RPC multicall authentication failure from $ + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = diff --git a/0.10.2/filter.d/wordpress-soft.conf b/0.10.2/filter.d/wordpress-soft.conf index 37e0307..691c653 100644 --- a/0.10.2/filter.d/wordpress-soft.conf +++ b/0.10.2/filter.d/wordpress-soft.conf @@ -1,22 +1,31 @@ -# Fail2Ban filter for WordPress soft failures -# Auto-generated: 2018-11-04T16:40:53+00:00 -# - -[INCLUDES] - -before = common.conf - -[Definition] - -_daemon = (?:wordpress|wp) - -failregex = ^%(__prefix_line)sAuthentication failure for .* from $ - ^%(__prefix_line)sXML-RPC authentication failure for .* from $ - -ignoreregex = - -# DEV Notes: -# Requires the 'WP fail2ban' plugin: -# https://github.com/invisnet/wp-fail2ban/ -# -# Author: Charles Lecklider +# Fail2Ban configuration file +# +# Author: Charles Lecklider 2012-2016 +# Author: Brandon Allen 2016-2019 +# + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + + +[Definition] + +_daemon = wp + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Values: TEXT +# +failregex = ^%(__prefix_line)sAuthentication failure for .* from $ + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex =