fail2ban: add wordpress filters

This commit is contained in:
Victor LABORIE 2017-10-18 15:44:20 +02:00
parent 938aaa4ec1
commit 97e4abb37c
5 changed files with 85 additions and 0 deletions

View File

@ -2,3 +2,4 @@
general_alert_email: "root@localhost"
fail2ban_alert_email: Null
fail2ban_ignore_ips: []
fail2ban_wordpress: False

View File

@ -0,0 +1,31 @@
# Fail2Ban configuration file soft
#
# Author: Charles Lecklider
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = (?:wordpress|wp)
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = ^%(__prefix_line)sAuthentication failure for .* from <HOST>$
^%(__prefix_line)sXML-RPC authentication failure from <HOST>$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

View File

@ -0,0 +1,33 @@
# Fail2Ban configuration file hard
#
# Author: Charles Lecklider
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = (?:wordpress|wp)
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = ^%(__prefix_line)sAuthentication attempt for unknown user .* from <HOST>( via XML-RPC)?$
^%(__prefix_line)sBlocked authentication attempt for .* from <HOST>( via XML-RPC)?$
^%(__prefix_line)sBlocked user enumeration attempt from <HOST>$
^%(__prefix_line)sPingback error .* generated from <HOST>$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

View File

@ -38,6 +38,8 @@
with_items:
- dovecot-evolix.conf
- sasl-evolix.conf
- wordpress-soft.conf
- wordpress-hard.conf
notify: restart fail2ban
tags:
- fail2ban

View File

@ -26,3 +26,21 @@ action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(proto
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
action = %(action_mwl)s
{% if fail2ban_wordpress %}
[wordpress-hard]
enabled = true
port = http,https
filter = wordpress-hard
logpath = /var/log/auth.log
maxretry = 1
findtime = 300
[wordpress-soft]
enabled = true
port = http,https
filter = wordpress-soft
logpath = /var/log/auth.log
maxretry = 5
findtime = 300
{% endif %}