aus /var/log/auth.log
:
Dec 7 21:25:35 big wordpress(rainer.sokoll.com)[4373]: XML-RPC authentication failure for rainer from 85.204.246.240 Dec 7 21:25:40 big wordpress(rainer.sokoll.com)[4373]: XML-RPC authentication failure for moritz from 85.204.246.240 Dec 7 21:26:00 big wordpress(rainer.sokoll.com)[3981]: XML-RPC authentication failure for rainer from 85.204.246.240 Dec 7 21:26:02 big wordpress(rainer.sokoll.com)[3981]: XML-RPC authentication failure for moritz from 85.204.246.240 Dec 7 21:26:24 big wordpress(rainer.sokoll.com)[4373]: XML-RPC authentication failure for rainer from 85.204.246.240 Dec 7 21:26:46 big wordpress(rainer.sokoll.com)[4778]: XML-RPC authentication failure for moritz from 85.204.246.240 Dec 7 21:27:18 big wordpress(rainer.sokoll.com)[4373]: XML-RPC authentication failure for rainer from 85.204.246.240 Dec 7 21:27:58 big wordpress(rainer.sokoll.com)[4373]: XML-RPC authentication failure for moritz from 85.204.246.240 Dec 7 21:28:19 big wordpress(rainer.sokoll.com)[3981]: XML-RPC authentication failure for rainer from 85.204.246.240
Das ist natürlich ziemlich gemein. Nun ja:
root@big:/etc/fail2ban# tail -8 jail.local [wordpress] enabled = true port = http,https logpath = /var/log/auth.log bantime = 600 findtime = 60 maxretry = 1 filter = wordpress
in Verbindung mit
root@big:/etc/fail2ban# cat filter.d/wordpress.conf [Definition] failregex = ^.*wordpress.*authentication failure for.* from <HOST>$ root@big:/etc/fail2ban#
regelt:
root@big:/etc/fail2ban# grep wordpress /var/log/fail2ban.log 2019-12-07 21:28:24,934 fail2ban.jail [23280]: INFO Creating new jail 'wordpress' 2019-12-07 21:28:24,936 fail2ban.jail [23280]: INFO Jail 'wordpress' uses poller {} 2019-12-07 21:28:24,965 fail2ban.jail [23280]: INFO Jail 'wordpress' started 2019-12-07 21:28:24,982 fail2ban.filter [23280]: INFO [wordpress] Found 85.204.246.240 - 2019-12-07 21:27:58 2019-12-07 21:28:24,983 fail2ban.filter [23280]: INFO [wordpress] Found 85.204.246.240 - 2019-12-07 21:28:19 2019-12-07 21:28:25,166 fail2ban.actions [23280]: NOTICE [wordpress] Ban 85.204.246.240 2019-12-07 21:38:19,996 fail2ban.actions [23280]: NOTICE [wordpress] Unban 85.204.246.240 root@big:/etc/fail2ban#
🙂