1 前言

一个问题，一篇文章，一出故事。
继上次笔者已经Fail2Ban一批wordpress攻击者，

如何Fail2Ban拉黑wordpress攻击者？

今天笔者发现服务器CPU又超过90%，于是查看Nginx日志，发现大量的如下日志，

221.235.209.26 - - [20/Aug/2025:04:08:21 +0800] "POST /wp-login.php HTTP/1.1" 200 11991 "-" "Mozilla/5.0" "221.235.209.26"
221.235.209.26 - - [20/Aug/2025:04:08:21 +0800] "POST /wp-login.php HTTP/1.1" 200 11999 "-" "Mozilla/5.0" "-"

看这架势，攻击者贼心不死，笔者需要根据具体情况增加拉黑攻击者的定义。

2 最佳实践

2.1 环境配置

如何安装部署fail2ban基础环境？

2.2 配置Fail2Ban

2.2.1 创建过滤规则

vim /etc/fail2ban/filter.d/wordpress-200.conf

加入如下配置，

[Definition]
failregex = ^<HOST> -.*"POST /wp-login.php HTTP/1.1" 200.*$

然后，你可以使用如下命令来确认规则，

fail2ban-regex --print-all-matched /var/log/nginx/access.log /etc/fail2ban/filter.d/wordpress-200.conf

2.2.2 定义监视配置

vim /etc/fail2ban/jail.d/wordpress-200.local

加入如下配置，

[wordpress-200]
enabled = true
port = http,https
filter = wordpress-200
logpath = /var/log/nginx/access.log
maxretry = 10
findtime = 5m
bantime = 24h

配置修改后，你需要重启服务使配置生效，

systemctl restart fail2ban.service
systemctl status fail2ban.service

2.2.3 查看服务状态

fail2ban-client status wordpress-200

可见如下显示，

Status for the jail: wordpress-200
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     124
|  `- File list:        /var/log/nginx/access.log
`- Actions
   |- Currently banned: 5
   |- Total banned:     5
   `- Banned IP list:   27.22.92.22 27.22.93.253 116.208.102.10 27.29.147.82 116.208.48.131

2.2.4 查看防火墙状态

iptables -L -v -n

可见如下显示，

#...
Chain f2b-wordpress-200 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  121  5600 REJECT     all  --  *      *       116.208.48.131       0.0.0.0/0            reject-with icmp-port-unreachable
  310 54840 REJECT     all  --  *      *       27.29.147.82         0.0.0.0/0            reject-with icmp-port-unreachable
  338 56828 REJECT     all  --  *      *       116.208.102.10       0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       27.22.93.253         0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       27.22.92.22          0.0.0.0/0            reject-with icmp-port-unreachable
29795   73M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0   

2.2.5 手动确认日志状态

tail -f /var/log/nginx/access.log | grep wp-login.php

参阅文档
====================
https://github.com/fail2ban/fail2ban/wiki/Developing-Regex-in-Fail2ban
https://wangdoc.com/ssh/fail2ban