Fail2Ban is an essential tool that protects your server from brute-force attacks by scanning logs for suspicious login activity and banning offending IPs. At Pivotlar, we ship Fail2Ban enabled by default, with SSH protection active out of the box. This guide shows you how to extend that protection to your WordPress sites and manage bans effectively.
Part 1: Fail2Ban is Pre-Installed and SSH Protection is Active #
Out of the box, Pivotlar servers include a pre-configured jail for SSH access located at:
/etc/fail2ban/jail.d/sshd.localDefault content:
[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
maxretry = 5
bantime = 300- maxretry = 5: Bans IPs after 5 failed SSH attempts.
- bantime = 300: Banned IPs are blocked for 5 minutes (300 seconds).
This setup protects your server from unauthorized login attempts via SSH. You don’t need to configure anything to activate it.
Part 2: Manually Adding WordPress Login and XMLRPC Protection #
For additional WordPress-specific brute-force protection, you can manually configure Fail2Ban jails to monitor login attempts via wp-login.php and xmlrpc.php.
Step 1: Create the Filter File #
Create a custom filter:
sudo vi /etc/fail2ban/filter.d/wp-login.confAdd this content:
[Definition]
failregex = <HOST> -.* "POST /wp-login.php.*" 200
<HOST> -.* "POST /xmlrpc.php.*" 200
ignoreregex =
Save and close the file (:wq).
Step 2: Create a Custom Jail #
Now define a jail that uses the filter:
sudo nano /etc/fail2ban/jail.d/wp-login.local
Add:
[wp-login]
enabled = true
filter = wp-login
logpath = /var/log/nginx/*access.log
port = http,https
bantime = 1200
findtime = 60
maxretry = 5You can customize:
- bantime (e.g. 1200 = 20 minutes)
- maxretry (e.g. 5 attempts before ban)
Step 3: Reload Fail2Ban #
Before restarting, check your syntax:
sudo fail2ban-client -dThen restart the service:
sudo service fail2ban restart
Part 3: View Fail2Ban Activity on Your Server #
To monitor banned IPs and Fail2Ban activity, check the log file:
sudo tail -f /var/log/fail2ban.logOr search for a specific IP:
zgrep 127.0.0.1 /var/log/fail2ban.log*Example output:
NOTICE [wp-login] Ban 127.0.0.1Part 4: Manually Ban / Unban IPs #
Ban an IP Manually: #
sudo fail2ban-client set wp-login banip 127.0.0.1Unban an IP: #
sudo fail2ban-client set wp-login unbanip 127.0.0.1Part 5: Whitelist Safe IPs #
To prevent your own IP from being banned, whitelist it in your jail:
sudo vi /etc/fail2ban/jail.d/wp-login.localAdd or edit:
ignoreip = 127.0.0.1 127.0.0.2Then:
sudo fail2ban-client -d && sudo service fail2ban restartPart 6: Viewing the Fail2Ban Log #
All Fail2Ban activity—including bans, unbans, and detection events—is logged in:
/var/log/fail2ban.logThis log provides a real-time view of IPs attempting unauthorized access, including which jails are taking action.
View the Live Log #
Under your server details click Log-> Fail2ban log button
This will stream new log entries as they happen, allowing you to monitor brute-force attempts and automatic bans in real time.
Search for a Specific IP #
If you want to check if a specific IP has been banned or triggered any jails:
sudo zgrep 127.0.0.1 /var/log/fail2ban.log*This will search across the current and archived Fail2Ban logs (including rotated and compressed logs).
Example Output #
NOTICE [sshd] Ban 127.0.0.1
NOTICE [wp-login] Ban 127.0.0.1
NOTICE [wp-login] Unban 127.0.0.1Each entry shows:
- The jail name that triggered the action
- The action (Ban or Unban)
- The IP address affected
Summary #
Fail2Ban is a powerful line of defense for your Pivotlar server. With SSH protection enabled by default, you can extend security by configuring additional jails for your WordPress sites. Whether you’re banning brute-force attackers automatically or managing bans manually, Fail2Ban helps keep your infrastructure safe.
Need Help? #
Reach out to our support team via support@pivotlar.com
