[INCLUDES]
before = common.conf
after = fail2wp.local

# This filter is intended to be used with fail2ban and the Fail2WP plugin.
#
# This file should be placed in /etc/fail2ban/filter.d as fail2wp.conf
#
# I'm by no means a fail2ban filter expert, so I'm sure this could do with some
# improvements. It has been tested with fail2ban 0.11.1 on Ubuntu 20.04.LTS and
# Ubuntu 22.04.LTS.
#
# ADVANCED: You may, of course, split these into several different jails and
#           triggers and give them different treatment in fail2ban so that some
#           of the log messages trigger one behavior in fail2ban, and others
#           are ignored or behave differently.
#
# Joaquim Homrighausen <joho@webbplatsen.se>
#
# The intended log messages to trigger fail2ban on are:
#
# @since 1.0.0
#
# Authentication failure for validuser from n.n.n.n port 443
# Invalid email invalidemail from n.n.n.n port 443
# Invalid user invaliduser from n.n.n.n port 443
# User enumeration request from n.n.n.n port 443
# Invalid credentials invalidlogin from n.n.n.n port 443
#
# @since 1.1.0
#
# Blocked REST API request from n.n.n.n port 443
# Unauthenticated REST API request from n.n.n.n port 443
#
# @since 1.2.0
#
# Blocked login attempt from n.n.n.n port 443
# XMLRPC access attempted from n.n.n.n port 443
#
# Other messages:
#
# The Fail2WP plugin can further emit these messages (no action taken):
#
# Unknown error "nnn" during login from n.n.n.n port nnn
# Successful login for validuser from n.n.n.n port nnn

[Definition]
_daemon = fail2wp
ignoreregex = 127.0.0.1
failregex = fail2wp(.*): Authentication failure for .* from <HOST> port .*$
            fail2wp(.*): Invalid user .* from <HOST> port .*$
            fail2wp(.*): Invalid email .* from <HOST> port .*$
            fail2wp(.*): Invalid credentials .* from <HOST> port .*$
            fail2wp(.*): User enumeration request from <HOST> port .*$
            fail2wp(.*): Blocked REST API request from <HOST> port .*$
            fail2wp(.*): Unauthenticated REST API request from <HOST> port .*$
            fail2wp(.*): Blocked login attempt from <HOST> port .*$
            fail2wp(.*): XMLRPC access attempted from <HOST> port .*$

# Your entry for Fail2WP in jail.local should look like this:
#
# [fail2wp]
# enabled = true
# port = http,https
# bantime = <your.ban.time>
# filter = fail2wp
# logpath = /your/path/to/auth.log
# maxretry = <your.max.retries>
#
# end of file "fail2wp.conf"