Hello, I'm trying to make fail2ban for wordpress but is not banning Here is my config: /etc/fail2ban/jail.local [wordpress] enabled = true filter = wordpress action = iptables-multiport[name=wordpress, port="http,https"] logpath = /var/log/ispconfig/httpd/*/access.log maxretry = 3 bantime = 1800 /etc/fail2ban/filter.d/wordpress.conf # Fail2Ban filter for WordPress # # [Definition] failregex = ^<HOST> .* "POST /wp-login.php ignoreregex = I'm missing anything? Please help me, Thank you
I've not used iptables-multiport anywhere else other than what ispconfig has by following the Perfect Server guide, but the line there includes a protocol, so you could try: Code: action = iptables-multiport[name=wordpress, port="http,https", protocol=tcp] Other than that, perhaps your regex isn't matching. You can test that with fail2ban-regex, though you have to specify a specific log file (not wild .../*/access.log), so look up a name: Code: fail2ban-regex /var/log/ispconfig/httpd/domain.com/access.log /etc/fail2ban/filter.d/wordpress.conf If your regex doesn't match you could try this one, though I've had cases where leaving a wordpress site open in my browser timed out my session, and the login prompt kept reloading frequently, and I ended up blocking myself with this (doesn't happen frequently, but more than once -- perhaps remove the GET and it'd help?): Code: # cat /etc/fail2ban/filter.d/wp-login.local # Fail2ban config file matching wp-login.php access # # Author: Jesse Norell # [Definition] # This matches failed and successful attempts, # so set maxretries high enough to allow a few legitimate failed logins failregex = ^[^ ]* <HOST> .*"(GET|POST) //?wp-login.php ignoreregex = And I should probably mention, I haven't used that particular fail2ban filter on an ispconfig server, but on an older control panel (dtc), so haven't verified the log format/regex matches.