I am trying different things but I am still not satisfied with the outcomes. I have not had the time though.
To configure the jails, the logfiles are:
/var/log/apache2/domains/*.log
/var/log/nginx/domains/*.log
Filter example:
[Definition]
failregex = ^<HOST> .* "POST .*wp-login.php
^<HOST> .* "POST .*xmlrpc.php
ignoreregex =
You can find a more comprehensive filter here:
https://www.sololinux.es/proteger-wordpress-con-fail2ban/
There is also one filter that I am trying: Ban bots and DDOS
This jail needs to be adapted to look into the nginx logs.
Jail:
[http-get-dos]
enabled = true
port = http,https
filter = http-get-dos
logpath = /var/log/apache*/*access.log
maxretry = 300
findtime = 300
bantime = 600
action = iptables[name=HTTP, port=http, protocol=tcp]
Filter: http-get-dos.conf
Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match.
You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives.
[Definition]
failregex = ^<HOST> -.*(GET|POST|HEAD).*
#ignoreregex = ^<HOST> -.*"GET.*HTTP.*Googlebot/2\.1.*"$
ignoreregex =
Set up multiple recidive rules in cascade
https://www.burlutsky.su/security/fail2ban-re-ban-hackers/