Hello.
The feature is built in basically in aaPanel, but does not give much flexibility and moreover, I couldn't find a way to set it blocking multiple 'scan' endpoints, such as xmlrpc.php and wp-login.php at the same time. This lead me to do my research and create my own way of using fail2ban for blocking most common bruteforce attacks on WordPress via xmlrpc and wp-login.
First, install fail2ban from the panel and get it running. Do not create any website, leave sshd and ftpd server protections if you need it.
Second, open up your SSH and we will go through the standard procedure of how fail2ban works.
We have 2 directories that we're interested in:
/etc/fail2ban/jail.d/ - this is the directory that will configure our ban rules
/etc/fail2ban/filter.d/ - this is the directory that we describe what to search for in the logs file (using regular expressions)
Lets take a look at some sample configurations:
/etc/fail2ban/jail.d/yourwebsite.conf
[yourwebsite]
enabled = true
port = http,https
filter = yourwebsite
action = %(action_mwl)s
logpath = /www/wwwlogs/yourwebsite.com.log
maxretry = 2
findtime = 10800
bantime = 86400
The configs are pretty self explaining, you would need to set the right logpath for your prefered website, rename the filter and the 1st line with the [] brackets as well. You can change the findtime and bantime settings to fit your needs.
Findtime represents how back in time should the fail2ban search in logs
maxretry is how many attempts before the fail2ban bans the user
bantime is the ban time, obviously
/etc/fail2ban/filter.d/yourwebsite.conf
[Definition]
failregex = ^<HOST> .* "POST .*wp-login.php
^<HOST> .* "POST .*xmlrpc.php
ignoreregex =
Where "yourwebsite" will serve as the domain or name of your rule. I prefer to call them with the websites names so I dont get confused as time goes and I have more websites on my aaPanel.
After creating the two configurations, we should restart fail2ban
service fail2ban restart
be sure that it throws no errors after restart
service fail2ban status
Then, we can monitor our fail2ban log using
tail -f /var/log/fail2ban.log
To check status of our newly created rule
fail2ban-client status yourwebsite
To remove a rule just remove both files we created
rm /etc/fail2ban/jail.d/yourwebsite.conf
rm /etc/fail2ban/filter.d/yourwebsite.conf
Please keep in mind I am not a professional linux administrator of any kind, so use this at your own risk. Ill be happy if I have mistakes and get corrected.
Happy banning!
