|OS type and version||Ubuntu Linux 22.04.3|
|Package updates||9 package updates are available|
I have setup a new filter on Fail2Ban to block brute force attacks on xmlrpc.php and wp-login.php, however it is not matching or blocking any of the requests.
Here is my configuration, I hope someone can spot where the issue is:
Under log filters, I added a new log, and used :
^<HOST> .* "(GET|POST|HEAD) /(wp-login\.php|xmlrpc\.php)
as regular expression to match. I called the filter wordpress.
Under config files, /etc/fail2ban/filter.d/wordpress.config I have the following:
[Definition] failregex = ^<HOST> .* "(GET|POST|HEAD) /(wp-login\.php|xmlrpc\.php)
Under /etc/fail2ban/jail.local I have the following:
[wordpress] enabled = true port = http,https filter = wordpress logpath = /var/log/virtualmin/*_access_log bantime = 43200 action = firewallcmd-allports maxretry = 1 findtime = 1d
Is my jail.local entry correct? When I go to Jail Status tab, Everything is 0 under wordpress, its not matching nor banning any requests ( I’m hit with hundreds of request every few minutes).
In terminal I run :
fail2ban-regex /var/log/virtualmin/domain.com_access_log /etc/fail2ban/filter.d/wordpress.local
And it returns successful matches:
Results ======= Failregex: 667 total |- #) [# of hits] regular expression | 1)  ^<HOST> .* "(GET|POST|HEAD) /(wp-login\.php|xmlrpc\.php)
So Whats wrong? Any help is greatly appreciated, as my server resources are being hammered right now. Thanks!