add fail2ban filter for Wordpress

2026-04-06 20:59:08 +00:00 · 2020-05-15 00:53:01 +07:00
parent 34743805d2
commit ed0205bd47
3 changed files with 50 additions and 3 deletions
--- a/lib/lemper-create.sh
+++ b/lib/lemper-create.sh
@@ -1488,11 +1488,11 @@ function init_app() {

                # Enable fail2ban filter
                if [[ ${ENABLE_FAIL2BAN} == true ]]; then
-                    echo "Enable fail2ban's ${FRAMEWORK} filter for ${SERVERNAME}..."
+                    echo "Enable Fail2ban ${FRAMEWORK^} filter for ${SERVERNAME}..."

                    if [[ $(command -v fail2ban-client) && -f "/etc/fail2ban/filter.d/${FRAMEWORK}.conf" ]]; then
                        cat > "/etc/fail2ban/jail.d/${SERVERNAME}.conf" <<_EOL_
-[${FRAMEWORK}]
+[${SERVERNAME}]
 enabled = true
 port = http,https
 filter = ${FRAMEWORK}
@@ -1500,6 +1500,9 @@ action = iptables-multiport[name=webapps, port="http,https", protocol=tcp]
 logpath = ${WEBROOT}/access_log
 maxretry = 3
 _EOL_
+
+                        # Reload fail2ban
+                        run service fail2ban reload
                    else
                        info "Fail2ban or filter is not installed. Please install it first."
                    fi
--- a/lib/lemper-manage.sh
+++ b/lib/lemper-manage.sh
@@ -134,6 +134,10 @@ Options:
      Disable virtual host.
  -e, --enable <vhost domain name>
      Enable virtual host.
+  -F, --enable-fail2ban <vhost domain name>
+      Enable fail2ban jail.
+  --disable-fail2ban <vhost domain name>
+      Disable fail2ban jail.
  -g, --enable-gzip
      Enable Gzip compression.
  -p, --enable-pagespeed <vhost domain name>
@@ -295,6 +299,40 @@ function remove_vhost() {
    reload_nginx
 }

+
+function enable_fail2ban() {
+    # Verify user input hostname (domain name)
+    verify_vhost "${1}"
+
+    echo "Enabling Fail2ban ${FRAMEWORK^} filter for ${1}..."
+
+    # Get web root path from vhost config, first.
+    #shellcheck disable=SC2154
+    local WEBROOT && \
+    WEBROOT=$(grep -wE "set\ \\\$root_path" "/etc/nginx/sites-available/${1}.conf" | awk '{print $3}' | cut -d'"' -f2)
+
+    if [[ ! -d ${WEBROOT} ]]; then
+        read -rp "Enter real path to website root directory containing your access_log file: " -i "${WEBROOT}" -e WEBROOT
+    fi
+
+    if [[ $(command -v fail2ban-client) && -f "/etc/fail2ban/filter.d/${FRAMEWORK}.conf" ]]; then
+        cat > "/etc/fail2ban/jail.d/${1}.conf" <<_EOL_
+[${1}]
+enabled = true
+port = http,https
+filter = ${FRAMEWORK}
+action = iptables-multiport[name=webapps, port="http,https", protocol=tcp]
+logpath = ${WEBROOT}/access_log
+maxretry = 3
+_EOL_
+
+        # Reload fail2ban
+        run service fail2ban reload
+    else
+        info "Fail2ban or filter is not installed. Please install it first."
+    fi
+}
+
 ##
 # Enable Nginx's fastcgi cache.
 #
--- a/scripts/install_fail2ban.sh
+++ b/scripts/install_fail2ban.sh
@@ -87,11 +87,17 @@ function init_fail2ban_install() {
    else
        SSH_PORT=${SSH_PORT:-22}

+        # Add Wordpress custom filter.
+        run cp -f etc/fail2ban/filter.d/wordpress.conf /etc/fail2ban/filter.d/
+
        # Enable jail
        cat > /etc/fail2ban/jail.local <<_EOL_
 [DEFAULT]
 # banned for 30 days
-bantime = 2592000
+bantime = 30d
+
+# ignored ip (googlebot) - https://ipinfo.io/AS15169
+ignoreip = 66.249.64.0/19 66.249.64.0/20 66.249.80.0/22 66.249.84.0/23 66.249.88.0/24

 [sshd]
 enabled = true