fail2ban

Photo by Karsten Winegeart on Unsplash

Probing is happening all the time, Lets’ take a look at fail2ban. So fail2ban can look at logs and determine that an IP should be banned.

After first noticing load average go up, I realised one machine was being bombarded with attempts to find vulnerabilities within WordPress. So create a filter in /etc/fail2ban/filter.d/mywordpress.conf:

[Definition]
failregex = ^<HOST> -.*"(GET|POST) /wp-content/plugins/[^/]+/.* HTTP.*" 404
            ^<HOST> -.*"(GET|POST).*?(wp-login\.php|xmlrpc\.php|wp-config\.php|/wp-admin/admin-ajax\.php\?action=revslider_show_image|gf_page=upload|_input_3_vuln).*HTTP.*" (400|403|404)
ignoreregex =

Now don’t fret too much about the syntax although you can work it out. You can drop example lines into copilot or chatgpt to get help. Notice how you can add multiple failregex lines to add to your net.

Then you need a mataching jail definition:

# /etc/fail2ban/jail.d/mywordpress.conf
[mywordpress]
enabled = true
filter = mywordpress
action = %(action_mwl)s
         iptables-multiport[name=WPPlugins, port="http,https"]
logpath = /var/log/httpd/*access_log
maxretry = 10
findtime = 1800
bantime = 1d
ignoreip = 127.0.0.1/8 ::1 192.168.0.11 192.168.0.64

So this will ban IP’s for a day who match the regex 10 times in an hour, but won’t prevent our local scanners from probing.

Status for the jail: apache-wp-plugins
|- Filter
|  |- Currently failed: 4
|  |- Total failed:     7
|  `- File list:        /var/log/httpd/mysite_access_log
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

It’s worth getting to know fail2ban to make your life easier.

There are alot of command line tools for example to pick out banned IPs:

 fail2ban-client get apache-wp-plugins banned
 fail2ban-client set mywordpress banip 1.2.3.4
 fail2ban-client status
 fail2ban-cleint set mywordpress unbanip 1.2.3.4

You can test your filters perhaps why you use curl to probe:


fail2ban-regex /var/log/httpd/mysite_ccess_log /etc/fail2ban/filter.d/mywordpress.conf –print-all-matched

I found my fail2ban was emailing about every jail when I restarted it. You can stop that with “actionstart =” and “actionstop =” in jail.local

Jail.local is where you configure it to mail you:

[DEFAULT]
destemail = your@email.com
sender = fail2ban@yourdomain.com
mta = sendmail  # or mail, mailx, postfix — whatever is installed
action = %(action_mwl)s

I use firewalld so I needed to edit /etc/fail2ban/action.d/firewall-common.conf and set which ports as the default of “port = 1:65535” didn’t work.

ports = 80,443

My apache logs are not in a default place so I can use paths-common.conf to define them. So basically, its time to stop the fun for script kiddies. There are tools you can buy, plugins for wordpress, but basically fail2ban can do the job.

Well thats about it, it’s emailing me for now until I get bored of them, and is blocking IP’s.