In part 1 of this tutorial we looked at installing fail2ban and configuring some of the default jails. In this second part we shall look at some further jails, and configure filters and jails for applications not covered by the default installation.
Recidive
re·cid·i·vism (rĭ-sĭd′ə-vĭz′əm)n.
The repeating of or returning to criminal behavior by the same offender or type of offender.
One of the cool features of fail2ban is its ability to apply a filter to its own log files and take action appropriately. The recidive jail does exactly that – after an IP has been banned by a lower level jail a given number of times recidive can hand out another ban, but this time on all port. To implement, simply create the file /etc/fail2ban/jails.d/recidive.conf
with the following contents.
[recidive] enabled = true maxretry=3
Remember to restart the fail2ban service after making any changes.
WordPress
If you are running a WordPress installation, you are almost certainly seeing plenty of attempts on wp-login and some other pages. A simple /etc/fail2ban/filter.d/wordpress.conf
looks like this. The fail regex is for wp-login.php
submissions (POST).
[Definition] _jailname = wordpress failregex = ^ .* "POST .wp-login.php ^ . "POST .*xmlrpc.php ignoreregex =
In /etc/fail2ban/jail.d/wordpress.conf
add the following content. This jail looks for 4 matches to the above filter in the NGINX log files within 1 hour, and blocks ports 80 and 443 if that many attempts are detected.
[wordpress] enabled = true port = http,https action = iptables-multiport[name=wordpress, port="http,https", protocol=tcp] logpath = /var/log/nginx/access*log maxretry = 4 findtime = 3600
Remember to restart the fail2ban service after making any changes.