Fail2ban helps mitigate brute-force attempts by banning abusive IPs based on log patterns.
Prerequisites
- Ubuntu LTS
- Root or sudo access
- Apache access/error logs enabled
Install
sudo apt install -y fail2ban
Enable
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
Important warning
Don’t enable aggressive HTTP jails until you’ve validated logs and false positives. It’s easy to block legitimate users.
Configure jail.local
Create or edit:
/etc/fail2ban/jail.local
Minimum baseline:
- SSH jail
- Optional WordPress login jail (below)
Example: basic WordPress login jail
This is a starting point and may need tuning depending on your log format.
[wordpress-login]
enabled = true
port = http,https
filter = wordpress-login
logpath = /var/log/apache2/access.log
maxretry = 10
findtime = 600
bantime = 3600
Example filter (minimal)
Create:
/etc/fail2ban/filter.d/wordpress-login.conf
With a minimal pattern (adjust for your log format):
[Definition]
failregex = <HOST> .* \"POST /wp-login\\.php
Trusted IPs
In your jail config, keep an allowlist for known safe IPs:
ignoreip = 127.0.0.1/8 <trusted_ip>
Related
- Fail2ban jail for WordPress login brute-force protection — WordPress-specific wp-login jail
- Essential security hardening for self-hosted WordPress on Ubuntu — full hardening guide