I am not looking for an exact mechanism on how this works but more how does this application/php script trigger the fail2ban service to ban an IP?
Any pointers would be welcome.
p.s. yes I know I can read the code but I was fishing for some pointers first as I am struggling with the concept.
Thanks
wp-fail2ban just logs events. fail2ban wordpress-* filters catches that from log entries and blocks it.
but how, that is the question? this software does not have direct access to server logs.
syslog() log events from users too. user running the software sends the event, syslog daemon/journal logs it someplace.
see also :
https://linux.die.net/man/3/syslog
so the software is probably running syslog() somewhere in the code, which adds the relevant record into the log?
A PHP “magic” function, that will do it. 
Thanks
yes. as plugin description mentions :
Description: Write a myriad of WordPress events to syslog for integration with fail2ban
Thanks for the info, really helpful, but what URL is this from as I cannot find it.
Write a myriad of WordPress events to syslog for integration with fail2ban
It does not seem to be on the wordpress plugin page.
wp-fail2ban.php:14: * Description: Write a myriad of WordPress events to syslog for integration with fail2ban.
aah, actually in the plugin. Awesome.
Virtualmin WP Workbench plugin can do this, along with other security-related features like enabling additional HTTP password protection for the WP Admin panel.
I was curious how the app level stuff got to the server level daemons for my own programming knowledge.
All makes sense.
Does the block happen on the Fail2ban side, or does the plugin decide based on the logs and trigger the block on the PHP side?
I was curious how the app level stuff got to the server level daemons for my own programming knowledge.
All makes sense.
And, how does it go?
From one of my earlier posts or did you mean my software?
fail2ban does the blocking.
wp-fail2ban just writes events to syslog. fail2ban (using wp-fail2ban included fail2ban wordpress filters) catches those and blocks offenders.
one would need to add extra parameters to wp-config.php for wp-fail2ban to block eg. user enumerations and disable some annoying health check features of fail2ban, but in general works fine. (no need for premium security plugins if configured correctly)
btw, csf/lfd can do most of what wp-fail2ban+fail2ban does (or other CMS related plugins working with fail2ban), by just using some custom filters in csf. (so no need for extra plugins/daemons).
modsec too, just more complex in terms of writing new rules.
long shot, does anyone know of a php function that can directly add a rule to the firewall?
you mean php running as root (or sudo user), messing with the firewall?
brrrr, nope.
maybe some hosting control panels or firewall UIs, written in php, have some code like this. don’t know.
I was considering that I could get a php script to perform a specific event when a bad actor came along an then this would cause them to get blocked, like redirecting them to a bad URL.
firewall blocks ips/ranges/ASNs, doesn’t redirect. a web server/script can redirect.
a php script redirecting to some url, is probably better than triggering/messing with the firewall.