CloudPanel fail2ban

Bash

# mit root user
# /etc/fail2ban/jail.d
# nano wordpress.local

[wordpress-scanner]
enabled = true
filter = wordpress-scanner
logpath = /home/*/logs/nginx/access.log
maxretry = 1
bantime = 604800
bantime.increment = true
bantime.factor = 2
findtime = 3600
port = http,https

Copy

# mit root user
# /etc/fail2ban/jail.d
# nano wordpress.local

[wordpress-scanner]
enabled = true
filter = wordpress-scanner
logpath = /home/*/logs/nginx/access.log
maxretry = 1
bantime = 604800
bantime.increment = true
bantime.factor = 2
findtime = 3600
port = http,https

Bash

/ect/fail2ban/filter.d
nano wordpress-scanner.conf

Copy

/ect/fail2ban/filter.d
nano wordpress-scanner.conf

Bash

# /ect/fail2ban/filter.d
# nano wordpress-scanner.conf

[Definition]
# Kombiniert: .env-Scanner + WordPress-Angriffe + phpinfo + setup-config
failregex = ^<HOST> .* "(GET|POST) .*(\.env|\.env\.example|\.env\.backup|phpinfo|php_info|xmlrpc\.php|wp-json/wp/v2/users|\?author=\d+|setup-config\.php|_profiler/phpinfo|\.git/|wp-login\.php|info\.php).*" \d+ \d+.*$

# Optional: Ignoring legitime WordPress-Requests
ignoreregex = ^<HOST> .* ".*wp-admin/admin-ajax\.php.*" .*$

Copy

# /ect/fail2ban/filter.d
# nano wordpress-scanner.conf

[Definition]
# Kombiniert: .env-Scanner + WordPress-Angriffe + phpinfo + setup-config
failregex = ^<HOST> .* "(GET|POST) .*(\.env|\.env\.example|\.env\.backup|phpinfo|php_info|xmlrpc\.php|wp-json/wp/v2/users|\?author=\d+|setup-config\.php|_profiler/phpinfo|\.git/|wp-login\.php|info\.php).*" \d+ \d+.*$

# Optional: Ignoring legitime WordPress-Requests
ignoreregex = ^<HOST> .* ".*wp-admin/admin-ajax\.php.*" .*$

Bash

# testen ob die konfiguration funktioniert
fail2ban-client -t

Copy

# testen ob die konfiguration funktioniert
fail2ban-client -t

Zeige, was generell angegriffen wurde

Bash

find /home/*/logs/nginx -name "access.log" -exec grep -l -E "(\.env|phpinfo)" {} \;
/home/changetrackers-dev/logs/nginx/access.log
/home/fastpage/logs/nginx/access.log
/home/gwsite-blocks/logs/nginx/access.log
/home/gwsite-danz/logs/nginx/access.log
/home/gwsite-fast/logs/nginx/access.log
/home/gwsite-styleguide/logs/nginx/access.log
/home/gwsite-younique/logs/nginx/access.log
/home/p4athletes/logs/nginx/access.log
/home/perro-club/logs/nginx/access.log

Copy

find /home/*/logs/nginx -name "access.log" -exec grep -l -E "(\.env|phpinfo)" {} \;
/home/changetrackers-dev/logs/nginx/access.log
/home/fastpage/logs/nginx/access.log
/home/gwsite-blocks/logs/nginx/access.log
/home/gwsite-danz/logs/nginx/access.log
/home/gwsite-fast/logs/nginx/access.log
/home/gwsite-styleguide/logs/nginx/access.log
/home/gwsite-younique/logs/nginx/access.log
/home/p4athletes/logs/nginx/access.log
/home/perro-club/logs/nginx/access.log

Liste alle Angriffe auf env und phpinfo für alles aus

Bash

grep -E "(\.env|phpinfo)" /home/*/logs/nginx/access.log | head -20

Copy

grep -E "(\.env|phpinfo)" /home/*/logs/nginx/access.log | head -20

Angriffe pro Site zählen

Bash

grep -E "(\.env|phpinfo)" /home/*/logs/nginx/access.log | cut -d: -f1 | sort | uniq -c

Copy

grep -E "(\.env|phpinfo)" /home/*/logs/nginx/access.log | cut -d: -f1 | sort | uniq -c