From 97e4abb37c98b4e6c42ac18e19388b5e1be71daa Mon Sep 17 00:00:00 2001 From: Victor LABORIE Date: Wed, 18 Oct 2017 15:44:20 +0200 Subject: [PATCH] fail2ban: add wordpress filters --- fail2ban/defaults/main.yml | 1 + fail2ban/files/wordpress-hard.conf | 31 ++++++++++++++++++++++++++++ fail2ban/files/wordpress-soft.conf | 33 ++++++++++++++++++++++++++++++ fail2ban/tasks/main.yml | 2 ++ fail2ban/templates/jail.local.j2 | 18 ++++++++++++++++ 5 files changed, 85 insertions(+) create mode 100644 fail2ban/files/wordpress-hard.conf create mode 100644 fail2ban/files/wordpress-soft.conf diff --git a/fail2ban/defaults/main.yml b/fail2ban/defaults/main.yml index 2fe40951..5c4df4f0 100644 --- a/fail2ban/defaults/main.yml +++ b/fail2ban/defaults/main.yml @@ -2,3 +2,4 @@ general_alert_email: "root@localhost" fail2ban_alert_email: Null fail2ban_ignore_ips: [] +fail2ban_wordpress: False diff --git a/fail2ban/files/wordpress-hard.conf b/fail2ban/files/wordpress-hard.conf new file mode 100644 index 00000000..0eba3cf0 --- /dev/null +++ b/fail2ban/files/wordpress-hard.conf @@ -0,0 +1,31 @@ +# Fail2Ban configuration file soft +# +# Author: Charles Lecklider +# + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + + +[Definition] + +_daemon = (?:wordpress|wp) + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Values: TEXT +# +failregex = ^%(__prefix_line)sAuthentication failure for .* from $ + ^%(__prefix_line)sXML-RPC authentication failure from $ + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = diff --git a/fail2ban/files/wordpress-soft.conf b/fail2ban/files/wordpress-soft.conf new file mode 100644 index 00000000..345aab68 --- /dev/null +++ b/fail2ban/files/wordpress-soft.conf @@ -0,0 +1,33 @@ +# Fail2Ban configuration file hard +# +# Author: Charles Lecklider +# + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + + +[Definition] + +_daemon = (?:wordpress|wp) + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Values: TEXT +# +failregex = ^%(__prefix_line)sAuthentication attempt for unknown user .* from ( via XML-RPC)?$ + ^%(__prefix_line)sBlocked authentication attempt for .* from ( via XML-RPC)?$ + ^%(__prefix_line)sBlocked user enumeration attempt from $ + ^%(__prefix_line)sPingback error .* generated from $ + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = diff --git a/fail2ban/tasks/main.yml b/fail2ban/tasks/main.yml index 7a47a0ce..fbed85eb 100644 --- a/fail2ban/tasks/main.yml +++ b/fail2ban/tasks/main.yml @@ -38,6 +38,8 @@ with_items: - dovecot-evolix.conf - sasl-evolix.conf + - wordpress-soft.conf + - wordpress-hard.conf notify: restart fail2ban tags: - fail2ban diff --git a/fail2ban/templates/jail.local.j2 b/fail2ban/templates/jail.local.j2 index 2f4d6bc3..b336e535 100644 --- a/fail2ban/templates/jail.local.j2 +++ b/fail2ban/templates/jail.local.j2 @@ -26,3 +26,21 @@ action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(proto %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] action = %(action_mwl)s + +{% if fail2ban_wordpress %} +[wordpress-hard] +enabled = true +port = http,https +filter = wordpress-hard +logpath = /var/log/auth.log +maxretry = 1 +findtime = 300 + +[wordpress-soft] +enabled = true +port = http,https +filter = wordpress-soft +logpath = /var/log/auth.log +maxretry = 5 +findtime = 300 +{% endif %}