fail2ban not working

Discussion in 'Installation/Configuration' started by Julian, Jan 12, 2017.

  1. Julian

    Julian Member


    I'm trying to make fail2ban for wordpress but is not banning
    Here is my config:
    enabled = true
    filter = wordpress
    action = iptables-multiport[name=wordpress, port="http,https"]
    logpath = /var/log/ispconfig/httpd/*/access.log
    maxretry = 3
    bantime = 1800

    # Fail2Ban filter for WordPress

    failregex = ^<HOST> .* "POST /wp-login.php
    ignoreregex =

    I'm missing anything?
    Please help me,

    Thank you
  2. Jesse Norell

    Jesse Norell Well-Known Member

    I've not used iptables-multiport anywhere else other than what ispconfig has by following the Perfect Server guide, but the line there includes a protocol, so you could try:
    action = iptables-multiport[name=wordpress, port="http,https", protocol=tcp]
    Other than that, perhaps your regex isn't matching. You can test that with fail2ban-regex, though you have to specify a specific log file (not wild .../*/access.log), so look up a name:
    fail2ban-regex /var/log/ispconfig/httpd/ /etc/fail2ban/filter.d/wordpress.conf
    If your regex doesn't match you could try this one, though I've had cases where leaving a wordpress site open in my browser timed out my session, and the login prompt kept reloading frequently, and I ended up blocking myself with this (doesn't happen frequently, but more than once -- perhaps remove the GET and it'd help?):
    # cat /etc/fail2ban/filter.d/wp-login.local
    # Fail2ban config file matching wp-login.php access
    # Author: Jesse Norell
    # This matches failed and successful attempts,
    # so set maxretries high enough to allow a few legitimate failed logins
    failregex = ^[^ ]* <HOST> .*"(GET|POST) //?wp-login.php
    ignoreregex =
    And I should probably mention, I haven't used that particular fail2ban filter on an ispconfig server, but on an older control panel (dtc), so haven't verified the log format/regex matches.

Share This Page