Hi, I have my wordpress website login page spammed with login attempts, and I am trying to block these using fail2ban.
The brute force login attempts look like this: 82.165.197.140 - - [29/Aug/2015:05:35:42 -0400] "POST /wp-login.php HTTP/1.0" 500 251 82.165.197.140 - - [29/Aug/2015:05:35:42 -0400] "POST /wp-login.php HTTP/1.0" 500 251 185.73.202.122 - - [29/Aug/2015:05:35:42 -0400] "POST /wp-login.php HTTP/1.0" 200 3587 82.165.197.140 - - [29/Aug/2015:05:35:43 -0400] "POST /wp-login.php HTTP/1.0" 500 251 103.26.108.11 - - [29/Aug/2015:05:35:43 -0400] "POST /wp-login.php HTTP/1.0" 301 - 82.165.197.140 - - [29/Aug/2015:05:35:43 -0400] "POST /wp-login.php HTTP/1.0" 500 251 82.165.197.140 - - [29/Aug/2015:05:35:44 -0400] "POST /wp-login.php HTTP/1.0" 500 251 82.165.197.140 - - [29/Aug/2015:05:35:44 -0400] "POST /wp-login.php HTTP/1.0" 500 251 82.165.197.140 - - [29/Aug/2015:05:35:44 -0400] "POST /wp-login.php HTTP/1.0" 500 251 82.165.197.140 - - [29/Aug/2015:05:35:45 -0400] "POST /wp-login.php HTTP/1.0" 500 251 82.165.197.140 - - [29/Aug/2015:05:35:45 -0400] "POST /wp-login.php HTTP/1.0" 500 251 I have the regex "<HOST> .*\"POST [^\"]+\" 500.*" but I don't think it's working, is this right? Also can I have more than one regex for each jail, like this? failregex = <HOST> .*\"POST [^\"]+\" 500.* failregex = <HOST> .*\"POST [^\"]+\" 302.* Thanks, Edmund ------------------------------------------------------------------------------ _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
