How to block repeated offenders with BusinessPress

Fail2Ban is a great tool to prevent password guessing on your server or website. However we always run into the issue that the limit was either too high or low. What it really needs is a way of banning the users who try again and again forever.

When banning an IP forever you have to be extra careful to not ban Googlebot or other important web crawler.

1. Create /usr/local/bin/ignore_ip_check.sh which resolves the IP to see if it’s any known web crawler that must not be banned.

#!/bin/bash
IP="$1"
HOSTRESULT=$(host -W 1 ${IP})
REGEX='.*(googlebot.com|google.com|search.msn.com|yandex.ru|yandex.net|yandex.com).$'
if [[ "$HOSTRESULT" =~ $REGEX ]]; then exit 0; else exit 1; fi

2. Make sure other users can execute it using chmod u+x /usr/local/bin/ignore_ip_check.sh.

3. Create the new Fail2Ban filter in /etc/fail2ban/filter.d/repeated.conf:

# Fail2Ban configuration file
#
# Author: Foliovision
#

[INCLUDES]

before = common.conf


[Definition]

_daemon = fail2ban.actionss*

failregex = ^(%(__prefix_line)s| %(_daemon)s%(__pid_re)s?:s+)NOTICEs+[(?:sshd|wordpress)]s+Bans+<HOST>s*$

This file gives Fail2Ban the regex to use for log file parsing.

4. Create the new Fail2Ban jail in /etc/fail2ban/jail.d/repeated.conf.

[repeated]
enabled = true
filter = repeated 
logpath = /var/log/fail2ban.log
port = http,https
backend = auto

maxretry = 3 
findtime = 86400 
bantime = 5184000 

ignoreip = 127.0.0.1 {your server IP}
ignorecommand = /usr/local/bin/ignore_ip_check.sh "<ip>"

This file tells Fail2Ban which file to scan – it’s the actual Fail2Ban log file!

5. Run fail2ban-client -d to check configuration, fail2ban-client reload to reload it and fail2ban-client status to verify the new jail is added. You should now see repeated in the list:

# fail2ban-client status
Status
|- Number of jail:  4
`- Jail list:   repeated, sshd, waf, wordpress

6. Now you can try to guess the password too many times (use your VPN or a spare server), then unban the IP using fail2ban-client, try to guess the password once again and you should find the IP on the fail2ban-client status repeated block list.