Configuring fail2ban on Debian – Part 2

In part 1 of this tutorial we looked at installing fail2ban and configuring some of the default jails. In this second part we shall look at some further jails, and configure filters and jails for applications not covered by the default installation.

Recidive

re·cid·i·vism  (rĭ-sĭd′ə-vĭz′əm)n.

The repeating of or returning to criminal behavior by the same offender or type of offender.

One of the cool features of fail2ban is its ability to apply a filter to its own log files and take action appropriately. The recidive jail does exactly that – after an IP has been banned by a lower level jail a given number of times recidive can hand out another ban, but this time on all port. To implement, simply create the file /etc/fail2ban/jails.d/recidive.conf with the following contents.

[recidive]
enabled = true
maxretry=3

Remember to restart the fail2ban service after making any changes.

WordPress

If you are running a WordPress installation, you are almost certainly seeing plenty of attempts on wp-login and some other pages. A simple /etc/fail2ban/filter.d/wordpress.conf looks like this. The fail regex is for wp-login.php submissions (POST).

[Definition]
_jailname = wordpress
failregex = ^ .* "POST .wp-login.php
            ^ . "POST .*xmlrpc.php
ignoreregex =

In /etc/fail2ban/jail.d/wordpress.conf add the following content. This jail looks for 4 matches to the above filter in the NGINX log files within 1 hour, and blocks ports 80 and 443 if that many attempts are detected.

[wordpress]
enabled = true
port = http,https
action = iptables-multiport[name=wordpress, port="http,https", protocol=tcp]
logpath = /var/log/nginx/access*log
maxretry = 4
findtime = 3600

Remember to restart the fail2ban service after making any changes.