fail2ban

Tips & Tricks

Voir le status de toutes les jails

sudo fail2ban-client status | sed -n 's/,//g;s/.*Jail list://p' | xargs -n1 sudo fail2ban-client status

Filters

Wordpress

Voir les filtres du plugin wp-fail2ban https://plugins.svn.wordpress.org/wp-fail2ban/trunk/filters.d/

Dédier des logs à fail2ban https://github.com/fail2ban/fail2ban/wiki/Best-practice

# Filtre pour Wordpress via nginx combined access_log
# xmlrpc.php n'est pas utile: https://kinsta.com/fr/blog/xmlrpc-php/
#
[INCLUDES]

# Load regexes for filtering
before = botsearch-common.conf

[Definition]

failregex = ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) /wp-content/plugins/wp-file-manager/\S+ \S+\" 404 .+$
        ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) /vendor/phpunit/phpunit/\S+ \S+\" 404 .+$
        ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) /\.env \S+\" (403|404) .+$
        ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) /\S+/wp-login\.php \S+\" 404 .+$
        ^<HOST> \- \S+ \[\] \"POST /xmlrpc.php \S+\" (200|503) .+$

ignoreregex = 

datepattern = {^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)?
              ^[^\[]*\[({DATE})
              {^LN-BEG}

Et la jail (agressive!) correspondante:

[wordpress-nginx]

enabled=true
# ban only for those ports:
port=http,https
logpath=/var/log/nginx/www.parents-touraine.fr_access.log

# "bantime" is the number of seconds that a host is banned.
bantime  = 10m
# A host is banned if it has generated "maxretry" during the last "findtime"
findtime  = 10m
# "maxretry" is the number of failures before a host get banned.
maxretry = 1