Skip to content

Instantly share code, notes, and snippets.

@gbot
Last active Oct 6, 2021
Embed
What would you like to do?
Fail2Ban filter, jail and action (Slack message) for WordPress login failures on Spinup WP servers
[wordpress]
enabled = true
filter = wordpress
action = iptables-multiport[name="wordpress", port="http,https"]
slack-notify[name="wordpress"]
logpath = /sites/*/logs/access.log
/var/log/nginx/access.log
maxretry = 5
# Send Fail2Ban notifications to Slack, via the chat.postMessage API method
# Add your Slack API token and channel at end of this file
# Author: Gavin Botica
# gbotica@gmail.com
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
actionstart = curl -s -o /dev/null 'https://slack.com/api/chat.postMessage' -d 'token=<slack_api_token>' -d 'channel=#<slack_channel>' -d 'parse=none' -d "text=:white_check_mark: *<fq-hostname>*: jail *<name>* started"
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
actionstop = curl -s -o /dev/null 'https://slack.com/api/chat.postMessage' -d 'token=<slack_api_token>' -d 'channel=#<slack_channel>' -d 'parse=none' -d "text=:negative_squared_cross_mark: *<fq-hostname>*: jail *<name>* stopped"
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
actionban = curl -s -o /dev/null 'https://slack.com/api/chat.postMessage' -d 'token=<slack_api_token>' -d 'channel=#<slack_channel>' -d 'parse=none' -d "text=:red_circle: *<fq-hostname>*: jail *<name>* BAN *<https://ipinfo.io/<ip>|<ip>>* for <failures> failure(s)"
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
actionunban = curl -s -o /dev/null 'https://slack.com/api/chat.postMessage' -d 'token=<slack_api_token>' -d 'channel=#<slack_channel>' -d 'parse=none' -d "text=:white_circle: *<fq-hostname>*: jail *<name>* UNBAN *<https://ipinfo.io/<ip>|<ip>>*"
[Init]
init = 'Sending notification to Slack'
slack_api_token =
slack_channel =
# Fail2Ban filter for wordpress authentication failures
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
# Note: wp-login will return a 200 code on failed login and a 302 on success
failregex = ^<HOST>.* "POST .*/wp-login.php([/\?#\\].*)? HTTP/.*" 200
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment