diff -Nur smeserver-fail2ban-0.1.18.old/root/etc/e-smith/templates/etc/fail2ban/jail.conf/45wordpress smeserver-fail2ban-0.1.18/root/etc/e-smith/templates/etc/fail2ban/jail.conf/45wordpress --- smeserver-fail2ban-0.1.18.old/root/etc/e-smith/templates/etc/fail2ban/jail.conf/45wordpress 1969-12-31 19:00:00.000000000 -0500 +++ smeserver-fail2ban-0.1.18/root/etc/e-smith/templates/etc/fail2ban/jail.conf/45wordpress 2019-04-09 23:23:57.038000000 -0400 @@ -0,0 +1,68 @@ +{ + +my $status = $fail2ban{'wordpress'} || 'disabled'; +return "\n# wordpress disabled \n" if ($status ne 'enabled') ; +my @ports = (); +push @ports, (${'httpd-e-smith'}{'TCPPort'} || '80'); +push @ports, ($modSSL{'TCPPort'} || '443'); +my $port = join (",", @ports); + +my $wphbantime = $fail2ban{'WPHbantime'} || $bantime; +my $wpsbantime = $fail2ban{'WPSbantime'} || $bantime; +my $wpxbantime = $fail2ban{'WPXbantime'} || $bantime; +my $wphfindtime = $fail2ban{'WPHfindtime'} || $findtime; +my $wpsfindtime = $fail2ban{'WPSfindtime'} || $findtime; +my $wpxfindtime = $fail2ban{'WPXfindtime'} || $findtime; +my $wphmaxretry = $fail2ban{'WPHmaxretry'} || $maxretry; +my $wpsmaxretry = $fail2ban{'WPSmaxretry'} || $maxretry; +my $wpxmaxretry = $fail2ban{'WPXmaxretry'} || $maxretry; + +$OUT .=<<"EOF"; + +[wordpress-hard] +enabled = true +filter = wordpress-hard +logpath = /var/log/messages +findtime = $wphfindtime +maxretry = $wphmaxretry +bantime = $wphbantime +backend = polling +action = smeserver-iptables[port="$port",protocol=tcp,bantime=$wphbantime] +EOF +$OUT .= " smeserver-sendmail[name="Wordpress (hard)",dest=$maildest]\n" + if ($mail eq 'enabled'); + + +$OUT .=<<"EOF"; + +[wordpress-soft] +enabled = true +filter = wordpress-soft +logpath = /var/log/messages +findtime = $wpsfindtime +maxretry = $wpsmaxretry +bantime = $wpsbantime +backend = polling +action = smeserver-iptables[port="$port",protocol=tcp,bantime=$wpsbantime] +EOF +$OUT .= " smeserver-sendmail[name="Wordpress (soft)",dest=$maildest]\n" + if ($mail eq 'enabled'); + + +$OUT .=<<"EOF"; + +[apache-xmlrpc] +enabled = true +port = http,https +filter = apache-xmlrpc +logpath = /var/log/httpd/access_log +findtime = $wpxfindtime +maxretry = $wpxmaxretry +bantime = $wpxbantime +action = smeserver-iptables[port="$port",protocol=tcp,bantime=$wpxbantime] +EOF +$OUT .= " smeserver-sendmail[name="Wordpress (xmlrpc)",dest=$maildest]\n" + if ($mail eq 'enabled'); + +} + diff -Nur smeserver-fail2ban-0.1.18.old/root/etc/fail2ban/filter.d/apache-xmlrpc.conf smeserver-fail2ban-0.1.18/root/etc/fail2ban/filter.d/apache-xmlrpc.conf --- smeserver-fail2ban-0.1.18.old/root/etc/fail2ban/filter.d/apache-xmlrpc.conf 1969-12-31 19:00:00.000000000 -0500 +++ smeserver-fail2ban-0.1.18/root/etc/fail2ban/filter.d/apache-xmlrpc.conf 2019-04-09 22:58:52.245000000 -0400 @@ -0,0 +1,5 @@ +[Definition] +failregex = ^ .*POST .*xmlrpc\.php.* +ignoreregex = + +# source http://xplus3.net/2013/05/09/securing-xmlrpc-wordpress/ diff -Nur smeserver-fail2ban-0.1.18.old/root/etc/fail2ban/filter.d/wordpress-hard.conf smeserver-fail2ban-0.1.18/root/etc/fail2ban/filter.d/wordpress-hard.conf --- smeserver-fail2ban-0.1.18.old/root/etc/fail2ban/filter.d/wordpress-hard.conf 1969-12-31 19:00:00.000000000 -0500 +++ smeserver-fail2ban-0.1.18/root/etc/fail2ban/filter.d/wordpress-hard.conf 2019-04-09 22:53:33.432000000 -0400 @@ -0,0 +1,26 @@ +# Fail2Ban filter for WordPress hard failures +# + +[INCLUDES] + +before = common.conf + +[Definition] + +_daemon = (?:wordpress|wp) + +failregex = ^%(__prefix_line)sAuthentication attempt for unknown user .* from $ + ^%(__prefix_line)sBlocked user enumeration attempt from $ + ^%(__prefix_line)sBlocked authentication attempt for .* from $ + ^%(__prefix_line)sPingback error .* generated from $ + ^%(__prefix_line)sSpam comment \d+ from $ + ^%(__prefix_line)sXML-RPC authentication attempt for unknown user .* from $ + ^%(__prefix_line)sXML-RPC multicall authentication failure from $ + +ignoreregex = + +# DEV Notes: +# Requires the 'WP fail2ban' plugin: +# https://wordpress.org/plugins/wp-fail2ban/ +# +# Author: Charles Lecklider diff -Nur smeserver-fail2ban-0.1.18.old/root/etc/fail2ban/filter.d/wordpress-soft.conf smeserver-fail2ban-0.1.18/root/etc/fail2ban/filter.d/wordpress-soft.conf --- smeserver-fail2ban-0.1.18.old/root/etc/fail2ban/filter.d/wordpress-soft.conf 1969-12-31 19:00:00.000000000 -0500 +++ smeserver-fail2ban-0.1.18/root/etc/fail2ban/filter.d/wordpress-soft.conf 2019-04-09 22:53:19.722000000 -0400 @@ -0,0 +1,31 @@ +# Fail2Ban configuration file +# +# Author: Charles Lecklider +# + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + + +[Definition] + +_daemon = (?:wordpress|wp) + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Values: TEXT +# +failregex = ^%(__prefix_line)sAuthentication failure for .* from $ + ^%(__prefix_line)sXML-RPC authentication failure from $ + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex =