tuxmartin/gist:d3fd5975bccee1441a302e76faa3d874

## gistfile1.txt
# https://plugins.svn.wordpress.org/wp-fail2ban/trunk/filters.d/wordpress-hard.conf
# https://github.com/TrogloGeek/fail2ban-apache-sqlinject

# Test: fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/wordpress.conf

[INCLUDES]
before = common.conf

[Definition]

sqlfragments_generic = select.*from|delete.*from|update.*set|insert.*into|replace.*(value|set)
sqlfragments_havij = and(\+|%%20)ascii%%28substring|and(\+|%%20)Length|union(\+|%%20)all(\+|%%20)select|and(\+|%%20)1%%3C1|and(\+|%%20)1%%3D1|and(\+|%%20)1%%3E1|and(\+|%%20)%%27.%%27%%3D%%27|%%2F\*%%21[0-9]+((\+|%%20)[0-9]*)?\*%%2F

_daemon = (?:wordpress|wp)

failregex = ^<HOST> -[^"]*"[A-Z]+\s+/[^"]*\?[^"]*(?:%(sqlfragments_generic)s|%(sqlfragments_havij)s)[^"]*HTTP[^"]*"
            ^%(__prefix_line)sAuthentication attempt for unknown user .* from <HOST>$
            ^%(__prefix_line)sXML-RPC authentication attempt for unknown user .* from <HOST>$
            ^%(__prefix_line)sSpam comment \d+ from <HOST>$
            ^%(__prefix_line)sBlocked user enumeration attempt from <HOST>$
            ^%(__prefix_line)sBlocked authentication attempt for .* from <HOST>$
            ^%(__prefix_line)sXML-RPC multicall authentication failure from <HOST>$
            ^%(__prefix_line)sPingback error .* generated from <HOST>$

ignoreregex =


#[wordpress]
#
#enabled = true
#filter  = wordpress
#logpath = /var/log/auth.log
#port    = http,https
#maxretry = 3
#port = http,https
#chain = INPUT


## gistfile2.txt
root@web:/# fail2ban-regex /var/log/apache2/access_web1.log /etc/fail2ban/filter.d/wordpress.conf

Running tests
=============

Use   failregex filter file : wordpress, basedir: /etc/fail2ban
Use         log file : /var/log/apache2/access_web1.log
Use         encoding : UTF-8


Results
=======

Failregex: 12991 total
|-  #) [# of hits] regular expression
|   1) [12991] ^<HOST> -[^"]*"[A-Z]+\s+/[^"]*\?[^"]*(?:select.*from|delete.*from|update.*set|insert.*into|replace.*(value|set)|and(\+|%20)ascii%28substring|and(\+|%20)Length|union(\+|%20)all(\+|%20)select|and(\+|%20)1%3C1|and(\+|%20)1%3D1|and(\+|%20)1%3E1|and(\+|%20)%27.%27%3D%27|%2F\*%21[0-9]+((\+|%20)[0-9]*)?\*%2F)[^"]*HTTP[^"]*"
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [163252] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
`-

Lines: 163252 lines, 0 ignored, 12991 matched, 150261 missed
[processed in 36.51 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 150261 lines
root@web:/#
	# https://plugins.svn.wordpress.org/wp-fail2ban/trunk/filters.d/wordpress-hard.conf
	# https://github.com/TrogloGeek/fail2ban-apache-sqlinject

	# Test: fail2ban-regex /var/log/apache2/access.log /etc/fail2ban/filter.d/wordpress.conf

	[INCLUDES]
	before = common.conf

	[Definition]

	sqlfragments_generic = select.from\|delete.from\|update.set\|insert.into\|replace.*(value\|set)
	sqlfragments_havij = and(\+\|%%20)ascii%%28substring\|and(\+\|%%20)Length\|union(\+\|%%20)all(\+\|%%20)select\|and(\+\|%%20)1%%3C1\|and(\+\|%%20)1%%3D1\|and(\+\|%%20)1%%3E1\|and(\+\|%%20)%%27.%%27%%3D%%27\|%%2F\%%21[0-9]+((\+\|%%20)[0-9])?\*%%2F

	_daemon = (?:wordpress\|wp)

	failregex = ^<HOST> -[^"]"[A-Z]+\s+/[^"]\?[^"](?:%(sqlfragments_generic)s\|%(sqlfragments_havij)s)[^"]HTTP[^"]*"
	^%(__prefix_line)sAuthentication attempt for unknown user .* from <HOST>$
	^%(__prefix_line)sXML-RPC authentication attempt for unknown user .* from <HOST>$
	^%(__prefix_line)sSpam comment \d+ from <HOST>$
	^%(__prefix_line)sBlocked user enumeration attempt from <HOST>$
	^%(__prefix_line)sBlocked authentication attempt for .* from <HOST>$
	^%(__prefix_line)sXML-RPC multicall authentication failure from <HOST>$
	^%(__prefix_line)sPingback error .* generated from <HOST>$

	ignoreregex =



	#[wordpress]
	#
	#enabled = true
	#filter = wordpress
	#logpath = /var/log/auth.log
	#port = http,https
	#maxretry = 3
	#port = http,https
	#chain = INPUT
	root@web:/# fail2ban-regex /var/log/apache2/access_web1.log /etc/fail2ban/filter.d/wordpress.conf

	Running tests
	=============

	Use failregex filter file : wordpress, basedir: /etc/fail2ban
	Use log file : /var/log/apache2/access_web1.log
	Use encoding : UTF-8


	Results
	=======

	Failregex: 12991 total
	\|- #) [# of hits] regular expression
	\| 1) [12991] ^<HOST> -[^"]"[A-Z]+\s+/[^"]\?[^"](?:select.from\|delete.from\|update.set\|insert.into\|replace.(value\|set)\|and(\+\|%20)ascii%28substring\|and(\+\|%20)Length\|union(\+\|%20)all(\+\|%20)select\|and(\+\|%20)1%3C1\|and(\+\|%20)1%3D1\|and(\+\|%20)1%3E1\|and(\+\|%20)%27.%27%3D%27\|%2F\%21[0-9]+((\+\|%20)[0-9])?\%2F)[^"]HTTP[^"]*"
	`-

	Ignoreregex: 0 total

	Date template hits:
	\|- [# of hits] date format
	\| [163252] Day(?P<_sep>[-/])MON(?P=_sep)Year[ :]?24hour:Minute:Second(?:\.Microseconds)?(?: Zone offset)?
	`-

	Lines: 163252 lines, 0 ignored, 12991 matched, 150261 missed
	[processed in 36.51 sec]

	Missed line(s): too many to print. Use --print-all-missed to print all 150261 lines
	root@web:/#