Creating a Fail2Ban Rule to use ithemes-security logs

Hi,

I would like to use the records on the ithemes-security/logs/
which document in files with names as:
event-log-example-m6MrNMiCBbC23aU5BiSvXOSp5NQkP1.log
various events that ithemes-security plugin blocked.

Rules, are hopefully to be set in a similar manner to the one listed below:

# cd /etc/fail2ban/filter.d/

# touch ithemes-forbidden.conf

# vi ithemes-forbidden.conf

[Definition]
failregex = ^<HOST> <-- here should come some regex ruleset to catch blocking event according to the way they are logged in the ithemes logs

# cd /etc/fail2ban/jail.d

# touch ithemes-forbidden.conf

# vi ithemes-forbidden.conf

[ithemes-forbidden]
enabled = true
filter = ithemes-forbidden
backend = polling
logpath = /var/www/vhosts/system/example.com/wp-content/uploads/ithemes-security/logs/*.log

bantime  = 48h
maxretry = 1
findtime = 9600
port = http,https,7080,7081
banaction = iptables-multiport
action = iptables-multiport[name=apache, port="http,https,7080,7081"]

*****************************************************************

So my main question would be what would be the suitable regex to “collect” the IPs from the blocking events in the log files?

• This topic was modified 2 years, 12 months ago by ziegel.