Voir le status de toutes les jails
sudo fail2ban-client status | sed -n 's/,//g;s/.*Jail list://p' | xargs -n1 sudo fail2ban-client status
Voir les filtres du plugin wp-fail2ban https://plugins.svn.wordpress.org/wp-fail2ban/trunk/filters.d/
Dédier des logs à fail2ban https://github.com/fail2ban/fail2ban/wiki/Best-practice
# Filtre pour Wordpress via nginx combined access_log # xmlrpc.php n'est pas utile: https://kinsta.com/fr/blog/xmlrpc-php/ # [INCLUDES] # Load regexes for filtering before = botsearch-common.conf [Definition] failregex = ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) /wp-content/plugins/wp-file-manager/\S+ \S+\" 404 .+$ ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) /vendor/phpunit/phpunit/\S+ \S+\" 404 .+$ ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) /\.env \S+\" (403|404) .+$ ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) /\S+/wp-login\.php \S+\" 404 .+$ ^<HOST> \- \S+ \[\] \"POST /xmlrpc.php \S+\" (200|503) .+$ ignoreregex = datepattern = {^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)? ^[^\[]*\[({DATE}) {^LN-BEG}
Et la jail (agressive!) correspondante:
[wordpress-nginx] enabled=true # ban only for those ports: port=http,https logpath=/var/log/nginx/www.parents-touraine.fr_access.log # "bantime" is the number of seconds that a host is banned. bantime = 10m # A host is banned if it has generated "maxretry" during the last "findtime" findtime = 10m # "maxretry" is the number of failures before a host get banned. maxretry = 1