The project's description says:
The Fail2Log extension creates a log file containing IP addresses of IP's that tried to login with an incorrect username and/or password.
Fake logins with usernames and passwords are not the problem we experience.
We experience the problem shown below. They are probes from hosts looking for vulnerable components.
# cat /var/log/apache2/access.log | grep wp-login.php 117.186.248.5 - - [30/Mar/2021:04:38:32 +0000] "GET /wp-login.php HTTP/1.1" 404 437 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:78.0) Gecko/20100101 Firefox/78.0" 46.11.72.15 - - [30/Mar/2021:06:51:02 +0000] "GET /wp-login.php HTTP/1.1" 404 491 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko" 47.114.185.232 - - [30/Mar/2021:12:31:12 +0000] "GET /wp-login.php HTTP/1.1" 404 437 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:78.0) Gecko/20100101 Firefox/78.0" 35.213.170.208 - - [30/Mar/2021:14:56:35 +0000] "GET /wp-login.php HTTP/1.1" 404 458 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 145.239.29.217 - - [30/Mar/2021:16:06:10 +0000] "GET /wp-login.php HTTP/1.1" 404 458 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" 162.253.71.214 - - [30/Mar/2021:21:43:20 +0000] "GET /wp-login.php HTTP/1.1" 404 279 188.70.42.214 - - [30/Mar/2021:21:59:11 +0000] "GET /wp-login.php HTTP/1.1" 404 275
We would like to ban hosts that are trying to break in through known vulnerabilities, like those in Wordpress. We would also like to ban the entire netblock. We find there will be a dozen or so hosts from a netblock acting together (a distributed attack). We also find most of the attacks stem from China and former Soviet Union.
Is it possible to ban hosts based on break in attempts like using wp-login.php? If so, how do we do it?
Thanks in advance.