Re: [Fail2ban-users] Examples of jails to stop Wordpress probes?

[Nick Howitt]

Just add an actionban for all ports to your jail like: action = ""> If you use ipset or choose another allport action relevant to your firewall setup On 26/10/2018 02:36, Mike wrote: This is really interesting.  I like the way it works.  It redirects all instances of Wordpress with the plugin installed to log auth failures to the auth log. I'm definitely going to look into this, but one issue I wrestle with a lot is vulnerable plugins (so adding another plugin is not super exciting).  What I'm interested in doing is using wordpress probes in the http log as a way to identify hosts that are running scripts to search for vulnerabilities and cut them completely off from all services, not just http. Does anybody have a framework for something like this? For example, a call from a host that references some plugin on my site that isn't installed is a dead giveaway that it's a probe.  I want to lock that host for x amount of time out of all services on my server. At 05:17 AM 10/25/2018, Denis Rasulev wrote: Hi, Put this into /etc/fail2ban/filter.d/wordpress.conf : # Fail2Ban filter for WordPress [INCLUDES] before = common.conf [Definition] _daemon = (?:wordpress|wp) failregex = ^%(__prefix_line)sAuthentication attempt for unknown user .* from <HOST>$             ^%(__prefix_line)sBlocked user enumeration attempt from <HOST>$             ^%(__prefix_line)sBlocked authentication attempt for .* from <HOST>$             ^%(__prefix_line)sPingback error .* generated from <HOST>$             ^%(__prefix_line)sSpam comment \d+ from <HOST>$             ^%(__prefix_line)sXML-RPC authentication attempt for unknown user .* from <HOST>$             ^%(__prefix_line)sXML-RPC multicall authentication failure from <HOST>$ ignoreregex = # DEV Notes: # Requires the 'WP fail2ban' plugin: # https://wordpress.org/plugins/wp-fail2ban/ # # Author: Charles Lecklider For the rest of setup process, please, check this nice article: https://bjornjohansen.no/using-fail2ban-with-wordpress Regards, Denis On 24 Oct 2018, at 20:17, Mike <t...@rohms.com> wrote: Does anybody have any examples of sample jail configurations to identify Wordpress vulnerability probes? If someone can give me a skeleton, I can work on creating something that IDs malicious attempts to hack into wordpress.  I just need a basic framework. _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users

_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users