• Resolved wp_kc

    (@wp_kc)


    I googled for this and only found mentions that such as thing was possible, but no solution. So I threw this together and it seems to be working, but maybe someone who is more of an expect on Fail2Ban could make it more efficient. This is for Ubuntu 12.04 LTS, directory structure may need to be adjusted for other distributions.

    Procedure:
    Turn on brute force login protection on the NinjaFirewall | Log-in Protection settings page. Checkmark the Write incident to the server AUTH log. option. Save your settings.

    Next, ssh into your web server (assuming you have Fail2Ban already installed and working) and create a new recipe file with

    sudo vi /etc/fail2ban/filter.d/wordpress-ninjafw.conf
    Insert the following text…

    [INCLUDES]
    before = common.conf
    
    [Definition]
    _daemon = wordpress-ninjafw
    failregex = ^.* ninjafirewall\[.*\]: Possible brute-force attack from <HOST> on
    ignoreregex =

    Next, turn on the filter by editing or creating a jail.local file with…
    vi /etc/fail2ban/jail.local
    and insert the following text…

    [wordpress-ninjafw]
    enabled = true
    filter = wordpress-ninjafw
    logpath = /var/log/auth.log
    port = http,https

    Finally, restart fail2ban with…
    sudo service fail2ban restart

    https://www.ads-software.com/plugins/ninjafirewall/

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author nintechnet

    (@nintechnet)

    Thanks for sharing!

    Thread Starter wp_kc

    (@wp_kc)

    Your welcome! Thanks for such a great WP firewall.

    Here is an update that is a bit more integrated with Fail2Ban…

    Instead of calling the filter conf file wordpress-ninjafw.conf, I changed it to ninjafirewall.conf. Here is the procedure now…

    Create a filter called ninjafirewall.conf witht eh following command and include the following text in it…
    sudo vi /etc/fail2ban/filter.d/ninjafirewall.conf

    [INCLUDES]
    after = common.conf
    
    [Definition]
    _daemon = ninjafirewall
    failregex = ^.* %(__daemon_combs_re)s Possible brute-force attack from <HOST> on
    ignoreregex =

    Add the following text to the end of the jail.local file…
    sudo vi /etc/fail2ban/jail.local

    [ninjafirewall]
    enabled = true
    port = all
    filter = ninjafirewall
    logpath = /var/log/auth.log
    maxretry = 2

    Restart the service…
    sudo service fail2ban restart

    To test the set up run this command…
    sudo fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/ninjafirewall.conf

    If there are any entries from NinjaFirewall in the auth.log file fail2ban-regex will show you the number of matches.

    If there are any IP addresses that are currently banned you can see them by running this command…
    sudo iptables -L

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Fail2Ban recipe for Ninjafirewall’ is closed to new replies.