- Make sure you follow the guide to setup fail2ban for BusinessPress
- Edit
/etc/fail2ban/action.d/iptables.conf, changingblocktype = REJECT --reject-with icmp-port-unreachableandblocktype = REJECT --reject-with icmp6-port-unreachabletoblocktype = DROP. This is necessary to avoid multiple malicious requests to be sent over the already established TCP connection. - Create
/etc/fail2ban/filter.d/waf.conf:
# Fail2Ban configuration file
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = (?:wordpress|wp)
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = ^%(__prefix_line)sBusinessPress WAF .* from <HOST>$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =- Create
/etc/fail2ban/jail.d/waf.conf:
[waf]
enabled = true
filter = waf
logpath = /var/log/auth.log
port = http,https
maxretry = 1 ; ban after a single bad try
findtime = 1200
bantime = -1 ; bans the IP forever
ignoreip = 127.0.0.1 {your server IP here}- Run
fail2ban-client reloadandfail2ban-client status, you should now see waf in the list:
# fail2ban-client status
Status
|- Number of jail: 4
`- Jail list: repeated, sshd, waf, wordpress-
Use a VPN or some spare server to make a request to URL like
https://your-site.com/.env. -
Check
fail2ban-client status wafto verify that the IP has been banned.
