gbot · February 18, 2025 20:00
diff --git a/jail.local b/jail.local
 [wordpress]
 enabled = true
 filter = wordpress
 action = iptables-multiport[name="wordpress", port="http,https"]
    slack-notify[name="wordpress"]
 logpath = /sites/*/logs/access.log
    /var/log/nginx/access.log
 maxretry = 5
 backend = polling
diff --git a/slack-notify.conf b/slack-notify.conf
 # Send Fail2Ban notifications to Slack, via the chat.postMessage API method
 # Add your Slack API token and channel at end of this file
 # Author: Gavin Botica
 # [email protected]

 [Definition]
 # Option:  actionstart
 # Notes.:  command executed once at the start of Fail2Ban.
 # Values:  CMD
 actionstart = curl -s -o /dev/null 'https://slack.com/api/chat.postMessage' -d 'token=<slack_api_token>' -d 'channel=#<slack_channel>' -d 'parse=none' -d "text=:white_check_mark: *<fq-hostname>*: jail *<name>* started"

 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban
 # Values:  CMD
 actionstop = curl -s -o /dev/null 'https://slack.com/api/chat.postMessage' -d 'token=<slack_api_token>' -d 'channel=#<slack_channel>' -d 'parse=none' -d "text=:negative_squared_cross_mark: *<fq-hostname>*: jail *<name>* stopped"

 # Option:  actioncheck
 # Notes.:  command executed once before each actionban command
 # Values:  CMD
 actioncheck =

 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    <ip>  IP address
 #          <failures>  number of failures
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 actionban = curl -s -o /dev/null 'https://slack.com/api/chat.postMessage' -d 'token=<slack_api_token>' -d 'channel=#<slack_channel>' -d 'parse=none' -d "text=:red_circle: *<fq-hostname>*: jail *<name>* BAN *<https://ipinfo.io/<ip>|<ip>>* for <failures> failure(s)"

 # Option:  actionunban
 # Notes.:  command executed when unbanning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
 # Tags:    <ip>  IP address
 #          <failures>  number of failures
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 actionunban = curl -s -o /dev/null 'https://slack.com/api/chat.postMessage' -d 'token=<slack_api_token>' -d 'channel=#<slack_channel>' -d 'parse=none' -d "text=:white_circle: *<fq-hostname>*: jail *<name>* UNBAN *<https://ipinfo.io/<ip>|<ip>>*"

 [Init]
 init = 'Sending notification to Slack'
 slack_api_token = 
 slack_channel = 
diff --git a/wordpress.conf b/wordpress.conf
 # Fail2Ban filter for wordpress authentication failures

 [Definition]

 # Option:  failregex
 # Notes.:  regex to match the password failures messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
 #          be used for standard IP/hostname matching and is only an alias for
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
 #

 # Note: wp-login will return a 200 code on failed login and a 302 on success
 failregex = ^<HOST>.* "POST .*/wp-login.php([/\?#\\].*)? HTTP/.*" 200

 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
 ignoreregex =
	[wordpress]
	enabled = true
	filter = wordpress
	action = iptables-multiport[name="wordpress", port="http,https"]
	slack-notify[name="wordpress"]
	logpath = /sites/*/logs/access.log
	/var/log/nginx/access.log
	maxretry = 5
	backend = polling
	# Send Fail2Ban notifications to Slack, via the chat.postMessage API method
	# Add your Slack API token and channel at end of this file
	# Author: Gavin Botica
	# [email protected]

	[Definition]
	# Option: actionstart
	# Notes.: command executed once at the start of Fail2Ban.
	# Values: CMD
	actionstart = curl -s -o /dev/null 'https://slack.com/api/chat.postMessage' -d 'token=<slack_api_token>' -d 'channel=#<slack_channel>' -d 'parse=none' -d "text=:white_check_mark: <fq-hostname>: jail <name> started"

	# Option: actionstop
	# Notes.: command executed once at the end of Fail2Ban
	# Values: CMD
	actionstop = curl -s -o /dev/null 'https://slack.com/api/chat.postMessage' -d 'token=<slack_api_token>' -d 'channel=#<slack_channel>' -d 'parse=none' -d "text=:negative_squared_cross_mark: <fq-hostname>: jail <name> stopped"

	# Option: actioncheck
	# Notes.: command executed once before each actionban command
	# Values: CMD
	actioncheck =

	# Option: actionban
	# Notes.: command executed when banning an IP. Take care that the
	# command is executed with Fail2Ban user rights.
	# Tags: <ip> IP address
	# <failures> number of failures
	# <time> unix timestamp of the ban time
	# Values: CMD
	actionban = curl -s -o /dev/null 'https://slack.com/api/chat.postMessage' -d 'token=<slack_api_token>' -d 'channel=#<slack_channel>' -d 'parse=none' -d "text=:red_circle: <fq-hostname>: jail <name> BAN <https://ipinfo.io/<ip>\|<ip>> for <failures> failure(s)"

	# Option: actionunban
	# Notes.: command executed when unbanning an IP. Take care that the
	# command is executed with Fail2Ban user rights.
	# Tags: <ip> IP address
	# <failures> number of failures
	# <time> unix timestamp of the ban time
	# Values: CMD
	actionunban = curl -s -o /dev/null 'https://slack.com/api/chat.postMessage' -d 'token=<slack_api_token>' -d 'channel=#<slack_channel>' -d 'parse=none' -d "text=:white_circle: <fq-hostname>: jail <name> UNBAN <https://ipinfo.io/<ip>\|<ip>>"

	[Init]
	init = 'Sending notification to Slack'
	slack_api_token =
	slack_channel =
	# Fail2Ban filter for wordpress authentication failures

	[Definition]

	# Option: failregex
	# Notes.: regex to match the password failures messages in the logfile. The
	# host must be matched by a group named "host". The tag "<HOST>" can
	# be used for standard IP/hostname matching and is only an alias for
	# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
	# Values: TEXT
	#

	# Note: wp-login will return a 200 code on failed login and a 302 on success
	failregex = ^<HOST>.* "POST ./wp-login.php([/\?#\\].)? HTTP/.*" 200

	# Option: ignoreregex
	# Notes.: regex to ignore. If this regex matches, the line is ignored.
	# Values: TEXT
	#
	ignoreregex =