Troubles with fail2ban trying to stop xmlrpc.php

Discussion in 'ISPConfig 3 Priority Support' started by RobPatton, Aug 26, 2016.

  1. RobPatton

    RobPatton New Member HowtoForge Supporter

    I have fail2ban working with postfix-sasl errors, but I just cant seem to make it work for anything else.
    If I use:
    fail2ban-regex /var/log/httpd/access_log "^<HOST> .*POST .*xmlrpc\.php.*"
    It returns
    Lines: 61008 lines, 0 ignored, 3333 matched, 57675 missed [processed in 9.68 sec]
    So clearly my string is correct, and they are being found?
    But I'm missing some part by which iptables bans the ips.

    enabled = true
    action = iptables[name=sshd, port=ssh, protocol=tcp]

    enabled = true
    action = iptables[name=FTP, port=ftp, protocol=tcp]
    maxretry = 3

    enabled = true
    action = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps", protocol=tcp]
    maxretry = 3

    enabled = true
    action = iptables-multiport[name=postfix-sasl, port="smtp,smtps,submission", protocol=tcp]
    maxretry = 3

    enabled = true
    filter = apache-xmlrpc
    action = iptables-allports
    logpath = /var/log/httpd/access_log
    maxretry = 1



    # Read common prefixes. If any customizations available -- read them from
    # common.local
    before = common.conf

    failregex = ^<HOST> .*POST .*xmlrpc\.php.*
    ignoreregex =

    Sure would love to understand why I cant make this thing work. I'm unable to make the dovecot section work either, but I assume one answer will answer my questions

Share This Page