gbot/jail.local

## jail.local
[wordpress]
enabled = true
filter = wordpress
action = iptables-multiport[name="wordpress", port="http,https"]
    slack-notify[name="wordpress"]
logpath = /sites/*/logs/access.log
    /var/log/nginx/access.log
maxretry = 5

## slack-notify.conf
# Send Fail2Ban notifications to Slack, via the chat.postMessage API method
# Add your Slack API token and channel at end of this file
# Author: Gavin Botica
# gbotica@gmail.com

[Definition]
# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
actionstart = curl -s -o /dev/null 'https://slack.com/api/chat.postMessage' -d 'token=<slack_api_token>' -d 'channel=#<slack_channel>' -d 'parse=none' -d "text=:white_check_mark: *<fq-hostname>*: jail *<name>* started"

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
actionstop = curl -s -o /dev/null 'https://slack.com/api/chat.postMessage' -d 'token=<slack_api_token>' -d 'channel=#<slack_channel>' -d 'parse=none' -d "text=:negative_squared_cross_mark: *<fq-hostname>*: jail *<name>* stopped"

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
actioncheck =

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
actionban = curl -s -o /dev/null 'https://slack.com/api/chat.postMessage' -d 'token=<slack_api_token>' -d 'channel=#<slack_channel>' -d 'parse=none' -d "text=:red_circle: *<fq-hostname>*: jail *<name>* BAN *<https://ipinfo.io/<ip>|<ip>>* for <failures> failure(s)"

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
actionunban = curl -s -o /dev/null 'https://slack.com/api/chat.postMessage' -d 'token=<slack_api_token>' -d 'channel=#<slack_channel>' -d 'parse=none' -d "text=:white_circle: *<fq-hostname>*: jail *<name>* UNBAN *<https://ipinfo.io/<ip>|<ip>>*"

[Init]
init = 'Sending notification to Slack'
slack_api_token =
slack_channel =

## wordpress.conf
# Fail2Ban filter for wordpress authentication failures

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#

# Note: wp-login will return a 200 code on failed login and a 302 on success
failregex = ^<HOST>.* "POST .*/wp-login.php([/\?#\\].*)? HTTP/.*" 200

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
	[wordpress]
	enabled = true
	filter = wordpress
	action = iptables-multiport[name="wordpress", port="http,https"]
	slack-notify[name="wordpress"]
	logpath = /sites/*/logs/access.log
	/var/log/nginx/access.log
	maxretry = 5
	# Send Fail2Ban notifications to Slack, via the chat.postMessage API method
	# Add your Slack API token and channel at end of this file
	# Author: Gavin Botica
	# gbotica@gmail.com

	[Definition]
	# Option: actionstart
	# Notes.: command executed once at the start of Fail2Ban.
	# Values: CMD
	actionstart = curl -s -o /dev/null 'https://slack.com/api/chat.postMessage' -d 'token=<slack_api_token>' -d 'channel=#<slack_channel>' -d 'parse=none' -d "text=:white_check_mark: <fq-hostname>: jail <name> started"

	# Option: actionstop
	# Notes.: command executed once at the end of Fail2Ban
	# Values: CMD
	actionstop = curl -s -o /dev/null 'https://slack.com/api/chat.postMessage' -d 'token=<slack_api_token>' -d 'channel=#<slack_channel>' -d 'parse=none' -d "text=:negative_squared_cross_mark: <fq-hostname>: jail <name> stopped"

	# Option: actioncheck
	# Notes.: command executed once before each actionban command
	# Values: CMD
	actioncheck =

	# Option: actionban
	# Notes.: command executed when banning an IP. Take care that the
	# command is executed with Fail2Ban user rights.
	# Tags: <ip> IP address
	# <failures> number of failures
	# <time> unix timestamp of the ban time
	# Values: CMD
	actionban = curl -s -o /dev/null 'https://slack.com/api/chat.postMessage' -d 'token=<slack_api_token>' -d 'channel=#<slack_channel>' -d 'parse=none' -d "text=:red_circle: <fq-hostname>: jail <name> BAN <https://ipinfo.io/<ip>\|<ip>> for <failures> failure(s)"

	# Option: actionunban
	# Notes.: command executed when unbanning an IP. Take care that the
	# command is executed with Fail2Ban user rights.
	# Tags: <ip> IP address
	# <failures> number of failures
	# <time> unix timestamp of the ban time
	# Values: CMD
	actionunban = curl -s -o /dev/null 'https://slack.com/api/chat.postMessage' -d 'token=<slack_api_token>' -d 'channel=#<slack_channel>' -d 'parse=none' -d "text=:white_circle: <fq-hostname>: jail <name> UNBAN <https://ipinfo.io/<ip>\|<ip>>"

	[Init]
	init = 'Sending notification to Slack'
	slack_api_token =
	slack_channel =
	# Fail2Ban filter for wordpress authentication failures

	[Definition]

	# Option: failregex
	# Notes.: regex to match the password failures messages in the logfile. The
	# host must be matched by a group named "host". The tag "<HOST>" can
	# be used for standard IP/hostname matching and is only an alias for
	# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
	# Values: TEXT
	#

	# Note: wp-login will return a 200 code on failed login and a 302 on success
	failregex = ^<HOST>.* "POST ./wp-login.php([/\?#\\].)? HTTP/.*" 200

	# Option: ignoreregex
	# Notes.: regex to ignore. If this regex matches, the line is ignored.
	# Values: TEXT
	#
	ignoreregex =