SYSTEM INFORMATION | |
---|---|
OS type and version | Ubuntu Linux 22.04.3 |
Webmin version | 2.101 |
Usermin version | 2.001 |
Virtualmin version | 7.8.2 |
Theme version | 21.04 |
Package updates | 9 package updates are available |
Hi,
I have setup a new filter on Fail2Ban to block brute force attacks on xmlrpc.php and wp-login.php, however it is not matching or blocking any of the requests.
Here is my configuration, I hope someone can spot where the issue is:
Under log filters, I added a new log, and used :
^<HOST> .* "(GET|POST|HEAD) /(wp-login\.php|xmlrpc\.php)
as regular expression to match. I called the filter wordpress.
Under config files, /etc/fail2ban/filter.d/wordpress.config I have the following:
[Definition]
failregex = ^<HOST> .* "(GET|POST|HEAD) /(wp-login\.php|xmlrpc\.php)
Under /etc/fail2ban/jail.local I have the following:
[wordpress]
enabled = true
port = http,https
filter = wordpress
logpath = /var/log/virtualmin/*_access_log
bantime = 43200
action = firewallcmd-allports[]
maxretry = 1
findtime = 1d
Is my jail.local entry correct? When I go to Jail Status tab, Everything is 0 under wordpress, its not matching nor banning any requests ( I’m hit with hundreds of request every few minutes).
In terminal I run :
fail2ban-regex /var/log/virtualmin/domain.com_access_log /etc/fail2ban/filter.d/wordpress.local
And it returns successful matches:
Results
=======
Failregex: 667 total
|- #) [# of hits] regular expression
| 1) [667] ^<HOST> .* "(GET|POST|HEAD) /(wp-login\.php|xmlrpc\.php)
So Whats wrong? Any help is greatly appreciated, as my server resources are being hammered right now. Thanks!