The Fail2Ban service helps block the IP addresses of bots that guess passwords for your site. Recently, it has often been used to carry out attacks, since a large number of post requests creates a significant load on the web server. In our examples, we will look at blocking IP addresses using the example of the popular CMS - Wordpress, as well as for the ssh service.
1. Install the Fail2Ban service
1.1 Connect the Epel repository
yum install epel-release
then in /etc/yum.repos.d/epel.repo you need to enable it, enabled=1
yum install fail2ban
2. General settings
The Fail2ban service stores its configuration files in the /etc/fail2ban directory. There is a file with default values called jail.conf. Since this file may be overwritten by package updates, we should not use it. Instead, we will write a new file called jail.local. Any values defined in jail.local override the values in jail.conf.
jail.conf contains a [DEFAULT] section, followed by sections for individual services. jail.local can override any of these values. Additionally, the files in /etc/fail2ban/jail.d/ can be used to override the settings in both of these files. The files are applied in the following order:
/etc/fail2ban/jail.conf
/etc/fail2ban/jail.d/*.conf, alphabetically
/etc/fail2ban/jail.local
/etc/fail2ban/jail.d/*.local, alphabetically
Let's check and add default settings to the /etc/fail2ban/jail.local file
[DEFAULT]
# Ban hosts for one hour:
bantime = 3600
# Override /etc/fail2ban/jail.d/00-firewalld.conf:
banaction = iptables-multiport
[sshd]
enabled = true
Let's restart the service
service fail2ban restart
Let's check the status with the command
fail2ban-client status
3. Wordpress filter
Let's add a filter and a rule (jail) to block IP addresses that accessed the address /wp-login.php (Wordpress admin) more than 10 times from the same IP address within 10 minutes.
3.1 Filter
/etc/fail2ban/filter.d/wordpress.conf
[Definition]
failregex = ^.* "POST .*/wp-login.php([/\?#\\].*)? HTTP/.*" 200
ignoreregex =
Using this filter we will search for IP addresses.
3.2 Add jail
/etc/fail2ban/jail.d/wordpress.conf
[wordpress]
action = iptables-multiport[name="wordpress", port="http,https"]
filter = admin-wordpress
logpath = /var/www/vhosts/system/*/logs/*access*log
/var/log/httpd/*access_log
If you are using another web server, you need to change the filter according to how it generates the log and specify the correct path to the log file (access_log). After making changes, you must restart the service.