add fail2ban configs

etc/fail2ban/filter.d/wp-auth.conf

@@ -0,0 +1,10 @@
+# WordPress brute force auth filter: /etc/fail2ban/filter.d/wp-auth.conf:
+#
+# Block IPs trying to auth wp wordpress
+#
+# Matches e.g.
+# exampledomain.com 12.34.33.22 - [07/Jun/2014:11:15:29] "POST /wp-login.php HTTP/1.0" 200 4523
+#
+[Definition]
+failregex = [\w\.\-]+ <HOST> [\w\.\-]+ [\w\.\-]+ .*] "POST .*/wp-login.php
+ignoreregex =

etc/fail2ban/filter.d/xmlrpc.conf

@@ -0,0 +1,12 @@
+# WordPress xrmlrpc.php abuse
+#
+# Block IPs pounding xrmlrpc.php
+#
+# Matches e.g.
+# example.com:80 51.141.3.7 - - [05/Oct/2020:15:13:57 -0700] "POST /xmlrpc.php HTTP/1.1" 200 650 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
+# example.com:80 51.141.3.7 - - [05/Oct/2020:15:13:57 -0700] "POST //xmlrpc.php HTTP/1.1" 200 650 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
+#
+[Definition]
+failregex =  [\w\.\-]+ <HOST> [\w\.\-]+ [\w\.\-]+ .*] "POST /xmlrpc.php
+             [\w\.\-]+ <HOST> [\w\.\-]+ [\w\.\-]+ .*] "POST //xmlrpc.php
+ignoreregex =

etc/fail2ban/jail.d/wp-auth.conf

@@ -0,0 +1,8 @@
+[wp-auth]
+enabled  = true
+port     = http,https
+filter   = wp-auth
+logpath  = /var/log/apache2/access.log tail
+bantime  = 900
+findtime = 300
+maxretry = 10

etc/fail2ban/jail.d/xmlrpc.conf

@@ -0,0 +1,8 @@
+[xmlrpc]
+enabled  = true
+port     = http,https
+filter   = xmlrpc
+logpath  = /var/log/apache2/access.log tail
+bantime  = 86400
+findtime = 60
+maxretry = 3

install.sh

@@ -33,3 +33,14 @@ cp usr/local/lib/systemd/system/wp-cron.* /usr/local/lib/systemd/system/
 chmod 644 /usr/local/lib/systemd/system/wp-cron.*
 systemctl enable wp-cron.timer
 systemctl start wp-cron.timer
+
+# fail2ban wordpress configs
+if [[ -d /etc/fail2ban/ ]]; then
+  chmod 644 etc/fail2ban/filter.d/
+  cp -a etc/fail2ban/filter.d/* /etc/fail2ban/filter.d/
+  chmod 644 etc/fail2ban/jail.d/
+  cp -a etc/fail2ban/jail.d/* /etc/fail2ban/jail.d/
+  systemctl restart fail2ban
+else
+  echo "Fail2ban not installed, skipping fail2ban wordpress configs."
+fi

update.sh

@@ -59,3 +59,41 @@ if ! diff -q usr/local/lib/systemd/system/wp-cron.timer /usr/local/lib/systemd/s
   echo "wp-cron.timer updated"
   echo
 fi
+
+# check fail2ban wordpress configs
+if [[ -d /etc/fail2ban/ ]]; then
+  RESTARTF2B=false
+  if ! diff -q etc/fail2ban/filter.d/wp-auth.conf /etc/fail2ban/filter.d/wp-auth.conf ; then
+    cp etc/fail2ban/filter.d/wp-auth.conf /etc/fail2ban/filter.d/wp-auth.conf
+    chmod 644 /etc/fail2ban/filter.d/wp-auth.conf
+    echo "fail2ban/filter.d/wp-auth.conf updated"
+    echo
+    RESTARTF2B=true
+  fi
+  if ! diff -q etc/fail2ban/filter.d/xmlrpc.conf /etc/fail2ban/filter.d/xmlrpc.conf ; then
+    cp etc/fail2ban/filter.d/xmlrpc.conf /etc/fail2ban/filter.d/xmlrpc.conf
+    chmod 644 /etc/fail2ban/filter.d/xmlrpc.conf
+    echo "fail2ban/filter.d/xmlrpc.conf updated"
+    echo
+    RESTARTF2B=true
+  fi
+    if ! diff -q etc/fail2ban/jail.d/wp-auth.conf /etc/fail2ban/jail.d/wp-auth.conf ; then
+    cp etc/fail2ban/jail.d/wp-auth.conf /etc/fail2ban/jail.d/wp-auth.conf
+    chmod 644 /etc/fail2ban/jail.d/wp-auth.conf
+    echo "fail2ban/jail.d/wp-auth.conf updated"
+    echo
+    RESTARTF2B=true
+  fi
+  if ! diff -q etc/fail2ban/jail.d/xmlrpc.conf /etc/fail2ban/jail.d/xmlrpc.conf ; then
+    cp etc/fail2ban/jail.d/xmlrpc.conf /etc/fail2ban/jail.d/xmlrpc.conf
+    chmod 644 /etc/fail2ban/jail.d/xmlrpc.conf
+    echo "fail2ban/jail.d/xmlrpc.conf updated"
+    echo
+    RESTARTF2B=true
+  fi
+  if [[ $RESTARTF2B = true ]]; then
+    systemctl restart fail2ban
+  fi
+else
+  echo "Fail2ban not installed, skipping fail2ban wordpress configs."
+fi