Fail2Ban Wordpress jail issues

[Chris1]

Hello,

I have a custom jail set up to match the following:

failregex = <HOST>.*] "POST /wp-login.php

This does work however it seems that when it is running on a server with ~300 domains it struggles to ban IP's efficiently.

Log path is set to:

logpath = /var/www/vhosts/system/*/logs/access_log

A warning appears in the Fail2Ban section that states:

Warning: Fail2Ban might not work well if there are many domains and Fail2Ban has to monitor too many log files.

As the "*" would be making it scan ~300 log files, is there a more efficient way of scanning for Wordpress login attempts?

Even though I have it set to 5 attempts before being banned, it can sometimes take up to 30-60 minutes to ban the offending IP even if they are brute forcing with an attempt every second.

Kind regards,
Chris

 

[gbotica]

Hi,

I can't help you with getting fail2ban to work any better with ~300 domains, however -- I use a similar filter for failed WP logins and use this failregex:

failregex = ^<HOST>.*] "POST /wp-login.php HTTP/.*" 200

I think with your filter as it is, you would be catching ALL posts to wp-login.php, rather than just failed logins. A successful login does a 302 redirect, and failed login does a 200.