Fail2ban erweitert – Nginx und WordPress schützen 2025

Fail2ban Basis-Konfiguration

apt install -y fail2ban

# /etc/fail2ban/jail.local (IMMER .local verwenden, nie .conf!)
cat > /etc/fail2ban/jail.local << 'EOF'
[DEFAULT]
# IP nach 5 Fehlversuchen in 10 Min sperren
maxretry = 5
findtime = 600
bantime  = 3600

# E-Mail-Benachrichtigung
destemail = [email protected]
sendername = Fail2ban
mta = sendmail
action = %(action_mwl)s

# Eigene IPs nicht bannen
ignoreip = 127.0.0.1/8 192.168.0.0/24

[sshd]
enabled = true
port    = 2222
logpath = %(sshd_log)s
maxretry = 3
bantime = 86400
EOF

systemctl restart fail2ban

Nginx-Schutz

# /etc/fail2ban/jail.local erweitern:
cat >> /etc/fail2ban/jail.local << 'EOF'
[nginx-http-auth]
enabled  = true
filter   = nginx-http-auth
port     = http,https
logpath  = /var/log/nginx/error.log

[nginx-botsearch]
enabled  = true
filter   = nginx-botsearch
port     = http,https
logpath  = /var/log/nginx/access.log
maxretry = 2

[nginx-noscript]
enabled  = true
port     = http,https
filter   = nginx-noscript
logpath  = /var/log/nginx/access.log
maxretry = 6
EOF

WordPress Brute-Force-Schutz

# Custom Filter erstellen
cat > /etc/fail2ban/filter.d/wordpress.conf << 'EOF'
[Definition]
failregex = ^<HOST> .* "POST /(wp-login|xmlrpc).php HTTP.*" (200|403)
ignoreregex =
EOF

# Jail für WordPress
cat >> /etc/fail2ban/jail.local << 'EOF'
[wordpress]
enabled  = true
filter   = wordpress
port     = http,https
logpath  = /var/log/nginx/access.log
maxretry = 3
findtime = 300
bantime  = 86400
EOF

systemctl reload fail2ban

Status und Verwaltung

# Status aller Jails
fail2ban-client status

# Status eines Jails
fail2ban-client status nginx-http-auth
fail2ban-client status wordpress

# IP manuell sperren
fail2ban-client set sshd banip 1.2.3.4

# IP entsperren
fail2ban-client set sshd unbanip 1.2.3.4

# Alle gesperrten IPs
ipset list fail2ban-sshd
iptables -L f2b-sshd -n --line-numbers

# Fail2ban Logs
journalctl -u fail2ban -f
tail -f /var/log/fail2ban.log

Recidive Jail (Wiederholungstäter dauerhaft bannen)

cat >> /etc/fail2ban/jail.local << 'EOF'
[recidive]
enabled  = true
logpath  = /var/log/fail2ban.log
banaction = iptables-allports
bantime  = 604800  # 1 Woche
findtime = 86400   # 24 Stunden
maxretry = 5       # 5x gesperrt in 24h = 1 Woche Ban
EOF

systemctl reload fail2ban

FAQ

Kann fail2ban legitime Benutzer sperren?
Ja! Deshalb immer ignoreip für eigene IPs/VPNs setzen. Recidive erst nach ausgiebigem Testen aktivieren.

Fazit

Fail2ban schützt Server automatisch vor Brute-Force ohne manuelle IP-Blacklists pflegen zu müssen.

IT-Sicherheit und Server-Schutz für KMU in Heidelberg, Mannheim und der Rhein-Neckar-Region. Anfragen.