fail2ban: add wordpress filters

fail2ban/defaults/main.yml

@@ -2,3 +2,4 @@
 general_alert_email: "root@localhost"
 fail2ban_alert_email: Null
 fail2ban_ignore_ips: []
+fail2ban_wordpress: False

fail2ban/files/wordpress-hard.conf

@@ -0,0 +1,31 @@
+# Fail2Ban configuration file soft
+#
+# Author: Charles Lecklider
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+
+[Definition]
+
+_daemon = (?:wordpress|wp)
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+failregex = ^%(__prefix_line)sAuthentication failure for .* from <HOST>$
+            ^%(__prefix_line)sXML-RPC authentication failure from <HOST>$
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =

fail2ban/files/wordpress-soft.conf

@@ -0,0 +1,33 @@
+# Fail2Ban configuration file hard
+#
+# Author: Charles Lecklider
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+
+[Definition]
+
+_daemon = (?:wordpress|wp)
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+failregex = ^%(__prefix_line)sAuthentication attempt for unknown user .* from <HOST>( via XML-RPC)?$
+            ^%(__prefix_line)sBlocked authentication attempt for .* from <HOST>( via XML-RPC)?$
+            ^%(__prefix_line)sBlocked user enumeration attempt from <HOST>$
+            ^%(__prefix_line)sPingback error .* generated from <HOST>$
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =

fail2ban/tasks/main.yml

@@ -38,6 +38,8 @@
   with_items:
     - dovecot-evolix.conf
     - sasl-evolix.conf
+    - wordpress-soft.conf
+    - wordpress-hard.conf
   notify: restart fail2ban
   tags:
     - fail2ban

fail2ban/templates/jail.local.j2

@@ -26,3 +26,21 @@ action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(proto
                %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
 
 action = %(action_mwl)s
+
+{% if fail2ban_wordpress %}
+[wordpress-hard]
+enabled = true
+port = http,https
+filter = wordpress-hard
+logpath = /var/log/auth.log
+maxretry = 1
+findtime = 300
+
+[wordpress-soft]
+enabled = true
+port = http,https
+filter = wordpress-soft
+logpath = /var/log/auth.log
+maxretry = 5
+findtime = 300
+{% endif %}