Fail2Ban and WordPress

I noticed some unusual activity on my webserver recently, and tracked it down to brute force attempts on wordpress installs.  I did a little searching and found wp-fail2ban.  Without too much tweaking of rsyslog, I got the auth messages to my firewall, where I set about getting fail2ban to monitor for login attempts.  I was using the supplied wordpress.conf file that came with the plugin, but it was failing to match the regex due to the 32 character limitation of the syslog tag.  Essentially a tag that should be of the form

wordpress(www.example.com)[12345]

would sometimes be truncated to

wordpress(www.longdomainname.com

This would cause a failure of the regex.  So if you have long domain names, you may need to modify the wordpress.conf.  In my case, I just removed

^%(__prefix_line)

from the beginning of the regex

Leave a Reply

Your email address will not be published. Required fields are marked *