Last active
October 10, 2015 21:00
-
-
Save gbot/3e10ef0655d191436907 to your computer and use it in GitHub Desktop.
Fail2Ban WordPress login failure Jail and Filter. Notes:The log path uses 'access*_log' to monitor http and https logins. This will only work if WordPress is installed the webroot. Tweaking the failregex would be required to work with installs in sub-directories.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[wp-login] | |
enabled = true | |
filter = wp-login | |
action = iptables-multiport[name=wp-login, port="http,https"] | |
sendmail[dest="[email protected]", sendername="Fail2Ban", sender="fail2ban", name="wp-login"] | |
logpath = /var/www/vhosts/system/*/logs/access*_log | |
maxretry = 5 | |
findtime = 60 | |
bantime = 1200 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Create a filter called 'apache-wp-login' | |
[Definition] | |
failregex = ^<HOST>.*] "POST /wp-login.php HTTP/.*" 200 | |
# the above failregex will only find wp-login.php installed in the web root, use | |
# the following for instances where WordPress may be installed in a subdirectory | |
# failregex = ^<HOST>.*] "POST .*/wp-login.php HTTP/.*" 200 | |
ignoreregex = | |
[INCLUDES] | |
before = apache-common.conf |
@edwardbeckett Thanks for the suggestion, I was just relying on the findtime
in the [default] settings (which is 600), but you're right, using a lower specific value in the jail is a good idea.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'd recommend adding a decent
findtime
setting to limit the jail window. findtime = 60 seconds and maxretry = 3, etc...