add fail2ban configs

This commit is contained in:
Matthew Saunders Brown 2022-11-16 14:25:10 -08:00
parent de38c7fb1d
commit 1f567259a2
6 changed files with 87 additions and 0 deletions

View File

@ -0,0 +1,10 @@
# WordPress brute force auth filter: /etc/fail2ban/filter.d/wp-auth.conf:
#
# Block IPs trying to auth wp wordpress
#
# Matches e.g.
# exampledomain.com 12.34.33.22 - [07/Jun/2014:11:15:29] "POST /wp-login.php HTTP/1.0" 200 4523
#
[Definition]
failregex = [\w\.\-]+ <HOST> [\w\.\-]+ [\w\.\-]+ .*] "POST .*/wp-login.php
ignoreregex =

View File

@ -0,0 +1,12 @@
# WordPress xrmlrpc.php abuse
#
# Block IPs pounding xrmlrpc.php
#
# Matches e.g.
# example.com:80 51.141.3.7 - - [05/Oct/2020:15:13:57 -0700] "POST /xmlrpc.php HTTP/1.1" 200 650 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
# example.com:80 51.141.3.7 - - [05/Oct/2020:15:13:57 -0700] "POST //xmlrpc.php HTTP/1.1" 200 650 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
#
[Definition]
failregex = [\w\.\-]+ <HOST> [\w\.\-]+ [\w\.\-]+ .*] "POST /xmlrpc.php
[\w\.\-]+ <HOST> [\w\.\-]+ [\w\.\-]+ .*] "POST //xmlrpc.php
ignoreregex =

View File

@ -0,0 +1,8 @@
[wp-auth]
enabled = true
port = http,https
filter = wp-auth
logpath = /var/log/apache2/access.log tail
bantime = 900
findtime = 300
maxretry = 10

View File

@ -0,0 +1,8 @@
[xmlrpc]
enabled = true
port = http,https
filter = xmlrpc
logpath = /var/log/apache2/access.log tail
bantime = 86400
findtime = 60
maxretry = 3

View File

@ -33,3 +33,14 @@ cp usr/local/lib/systemd/system/wp-cron.* /usr/local/lib/systemd/system/
chmod 644 /usr/local/lib/systemd/system/wp-cron.* chmod 644 /usr/local/lib/systemd/system/wp-cron.*
systemctl enable wp-cron.timer systemctl enable wp-cron.timer
systemctl start wp-cron.timer systemctl start wp-cron.timer
# fail2ban wordpress configs
if [[ -d /etc/fail2ban/ ]]; then
chmod 644 etc/fail2ban/filter.d/
cp -a etc/fail2ban/filter.d/* /etc/fail2ban/filter.d/
chmod 644 etc/fail2ban/jail.d/
cp -a etc/fail2ban/jail.d/* /etc/fail2ban/jail.d/
systemctl restart fail2ban
else
echo "Fail2ban not installed, skipping fail2ban wordpress configs."
fi

View File

@ -59,3 +59,41 @@ if ! diff -q usr/local/lib/systemd/system/wp-cron.timer /usr/local/lib/systemd/s
echo "wp-cron.timer updated" echo "wp-cron.timer updated"
echo echo
fi fi
# check fail2ban wordpress configs
if [[ -d /etc/fail2ban/ ]]; then
RESTARTF2B=false
if ! diff -q etc/fail2ban/filter.d/wp-auth.conf /etc/fail2ban/filter.d/wp-auth.conf ; then
cp etc/fail2ban/filter.d/wp-auth.conf /etc/fail2ban/filter.d/wp-auth.conf
chmod 644 /etc/fail2ban/filter.d/wp-auth.conf
echo "fail2ban/filter.d/wp-auth.conf updated"
echo
RESTARTF2B=true
fi
if ! diff -q etc/fail2ban/filter.d/xmlrpc.conf /etc/fail2ban/filter.d/xmlrpc.conf ; then
cp etc/fail2ban/filter.d/xmlrpc.conf /etc/fail2ban/filter.d/xmlrpc.conf
chmod 644 /etc/fail2ban/filter.d/xmlrpc.conf
echo "fail2ban/filter.d/xmlrpc.conf updated"
echo
RESTARTF2B=true
fi
if ! diff -q etc/fail2ban/jail.d/wp-auth.conf /etc/fail2ban/jail.d/wp-auth.conf ; then
cp etc/fail2ban/jail.d/wp-auth.conf /etc/fail2ban/jail.d/wp-auth.conf
chmod 644 /etc/fail2ban/jail.d/wp-auth.conf
echo "fail2ban/jail.d/wp-auth.conf updated"
echo
RESTARTF2B=true
fi
if ! diff -q etc/fail2ban/jail.d/xmlrpc.conf /etc/fail2ban/jail.d/xmlrpc.conf ; then
cp etc/fail2ban/jail.d/xmlrpc.conf /etc/fail2ban/jail.d/xmlrpc.conf
chmod 644 /etc/fail2ban/jail.d/xmlrpc.conf
echo "fail2ban/jail.d/xmlrpc.conf updated"
echo
RESTARTF2B=true
fi
if [[ $RESTARTF2B = true ]]; then
systemctl restart fail2ban
fi
else
echo "Fail2ban not installed, skipping fail2ban wordpress configs."
fi