I am having trouble with a lot of spam requests to specific Wordpress file and i want to configure Fail2Ban to ban those IPs permanently.
File is: /xmlrpc.php
Is the apache-common filter actually matching the lines in the log file ? I would suggest making a custom filter so fail2ban can match the correct line in the log file
You need to look at the filter and work out what the regex is looking for or you could post a single log line you are trying to match and perhaps someone will be able to write the regex for you, so you can create a filter
I create Log filter with different combinations like this <HOST>.*"POST \/xmlrpc\.php.*" 200.*$ <HOST>.*"POST \/xmlrpc\.php.*" \d{3}.*$ <HOST>.*"POST \/xmlrpc\.php.*" \b\d{3}\b.*$ <HOST>.*"(GET|POST|HEAD) \/xmlrpc\.php.*" 200.*$
no one works, but i am testing it on regex101 it looks okay.
here is example line from log 185.184.155.49 - - [18/Sep/2024:16:59:45 +0200] "POST /xmlrpc.php HTTP/1.1" 200 3735 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/95.0"
I have no idea, as I don’t use wordpress I tend to skip most wordpress issues as I don’t have the experience with that product and it really has nothing to do with virtualmin however the op asked about fail2ban which I do have some experience with
I use this and the carot up front is important. You can test your filter in terminal to see if it is selecting records or not. This will tell you if your code is working.
fail2ban-regex <logfile> <regex or filter conf file>