I created a filter for fail2ban to mitigate Wordpress bruteforce attacks /etc/fail2ban/filter.d/wp-login.conf Code: # Fail2Ban filter for Wordpress login attempts # ISPConfig log version (/var/log/apache2/other_vhosts_access.log) # Test with: # fail2ban-regex /var/log/apache2/other_vhosts_access.log /etc/fail2ban/filter.d/wp-login.conf /etc/fail2ban/filter.d/wp-login.conf # [Definition] failregex = ^.*:\d+\ <HOST>.*\"POST\ \/wp-login.php HTTP\/.*\" ignoreregex = Tell fail2ban to use the filter with /etc/fail2ban/jail.d/wp-login.conf (you can change this name as you prefer) Code: [wp-login] enabled = true filter = wp-login logpath = /var/log/apache2/other_vhosts_access.log maxretry = 3 findtime = 180 bantime = 600 port = http,https To remember: findtime is the time within the attempts should occur to be marked as bruteforcing bantime is the time to ban the IP
Thank you very much for this post. I'm using it for Apache2 POST flooding. Works like a charm with slight mods.
i'd suggest making one for xml-rpc as well.. maybe not quite as restrictive... regular repeated xml-rpc calls could be valid.. but considering a single malicious xml-rpc call to wordpress could easily attempt 500 or more different different login/password combinations.. there should definitely be some protection in place against it. * added here just in case it isn't obvious to readers.. just create a copy of the 2 files above, replacing all instances of 'wp-login' with 'xmlrpc' (including the filenames themselves)
Thank you for that. That was my first attempt at a filter because there were so many of those but then I had about 600 messages in my inbox from that contact us form. My old filters stopped working when I installed Debian 12. With your example above I will be able to replace all my old filters.
