Vollständige, sauber strukturierte, audit‑fähige Dokumentation des gesamten Fail2ban‑Setups für imatrix.at.

---

# Fail2ban‑Konfiguration für imatrix.at

Audit‑fähige Dokumentation (Markdown)
Stand: 22.02.2026
Host: wordpress‑1‑vm
Domain: imatrix.at
Logs: /var/log/nginx/imatrix.access.log, /var/log/nginx/imatrix.error.log

---

1. Zielsetzung

Diese Fail2ban‑Konfiguration schützt den WordPress‑vHost imatrix.at gegen:

• HTTP‑Auth‑Angriffe
• wp‑login / xmlrpc Bruteforce
• bekannte Bot‑Netze
• 404‑Floods / Directory‑Scanner
• REST‑API‑Abuse
• User‑Agent‑Spoofing (syntaktisch + heuristisch)

Alle Jails sind vHost‑spezifisch, modular, audit‑fähig und basieren ausschließlich auf:

/var/log/nginx/imatrix.access.log
/var/log/nginx/imatrix.error.log

---

2. Nginx‑Konfiguration (vHost)

2.1 Access‑Log

access_log /var/log/nginx/imatrix.access.log;

2.2 Error‑Log (vHost‑spezifisch)

error_log /var/log/nginx/imatrix.error.log warn;

2.3 Log‑Rechte

sudo chown www-data:adm /var/log/nginx/imatrix.error.log
sudo chmod 0640 /var/log/nginx/imatrix.error.log

---

3. Fail2ban‑Jails

Alle Jails liegen unter:

/etc/fail2ban/jail.d/

---

3.1 Jail: nginx-http-auth

Zweck: HTTP‑Auth‑Fehler (Basic Auth, FastCGI Auth)

Datei: /etc/fail2ban/jail.d/nginx-http-auth.local

[nginx-http-auth]
enabled = true
port = http,https
logpath = /var/log/nginx/imatrix.error.log
backend = polling
filter = nginx-http-auth
maxretry = 3
findtime = 10m
bantime = 1h

---

3.2 Jail: imatrix-wp-login

Zweck: wp-login.php & xmlrpc.php Bruteforce

Filter: /etc/fail2ban/filter.d/imatrix-wp-login.conf

[Definition]
failregex = ^<HOST> -.*"(GET|POST) /wp-login\.php
            ^<HOST> -.*"(GET|POST) /xmlrpc\.php
ignoreregex =

Jail: /etc/fail2ban/jail.d/imatrix-wp-login.local

[imatrix-wp-login]
enabled = true
port = http,https
logpath = /var/log/nginx/imatrix.access.log
backend = polling
filter = imatrix-wp-login
maxretry = 5
findtime = 10m
bantime = 1h

---

3.3 Jail: imatrix-badbots

Zweck: bekannte Bot‑Netze, Scanner, Scraper

Filter: /etc/fail2ban/filter.d/imatrix-badbots.conf

[Definition]
failregex = ^<HOST> -.*"(GET|POST|HEAD).*" .* "(.*WPScan|WordPressChecker|python-requests|Go-http-client|curl|libwww-perl|masscan|sqlmap|nikto|fimap|nessus|acunetix|netsparker|dirbuster|nmap|zgrab|ZmEu|MJ12bot|AhrefsBot|SemrushBot|DotBot|BLEXBot|PetalBot|Bytespider|CensysInspect).*"
ignoreregex =

Jail: /etc/fail2ban/jail.d/imatrix-badbots.local

[imatrix-badbots]
enabled = true
port = http,https
logpath = /var/log/nginx/imatrix.access.log
backend = polling
filter = imatrix-badbots
maxretry = 1
findtime = 1h
bantime = 24h

---

3.4 Jail: imatrix-404-flood

Zweck: Directory‑Scanner, 404‑Floods

Filter: /etc/fail2ban/filter.d/imatrix-404-flood.conf

[Definition]
failregex = ^<HOST> -.*"(GET|POST|HEAD).*" 404
ignoreregex = 
    ^<HOST> -.*"(GET|POST|HEAD) /favicon\.ico
    ^<HOST> -.*"(GET|POST|HEAD) /robots\.txt
    ^<HOST> -.*"(GET|POST|HEAD) /wp-cron\.php
    ^<HOST> -.*"(GET|POST|HEAD) /wp-json/

Jail: /etc/fail2ban/jail.d/imatrix-404-flood.local

[imatrix-404-flood]
enabled = true
port = http,https
logpath = /var/log/nginx/imatrix.access.log
backend = polling
filter = imatrix-404-flood
maxretry = 10
findtime = 5m
bantime = 12h

---

3.5 Jail: imatrix-rest-abuse

Zweck: REST‑API‑Abuse (User‑Enumeration, Scraping, Scanner)

Filter: /etc/fail2ban/filter.d/imatrix-rest-abuse.conf

[Definition]

# Pretty Permalinks
failregex = ^<HOST> -.*"(GET|POST) /wp-json/wp/v2/users
            ^<HOST> -.*"(GET|POST) /wp-json/wp/v2/posts
            ^<HOST> -.*"(GET|POST) /wp-json/wp/v2/comments
            ^<HOST> -.*"(GET|POST) /wp-json/wp/v2/categories
            ^<HOST> -.*"(GET|POST) /wp-json/wp/v2/tags

# Fallback Routing
            ^<HOST> -.*"(GET|POST) /index\.php\?rest_route=/wp/v2/users
            ^<HOST> -.*"(GET|POST) /index\.php\?rest_route=/wp/v2/posts
            ^<HOST> -.*"(GET|POST) /index\.php\?rest_route=/wp/v2/comments
            ^<HOST> -.*"(GET|POST) /index\.php\?rest_route=/wp/v2/categories
            ^<HOST> -.*"(GET|POST) /index\.php\?rest_route=/wp/v2/tags

ignoreregex =

Jail: /etc/fail2ban/jail.d/imatrix-rest-abuse.local

[imatrix-rest-abuse]
enabled = true
port = http,https
logpath = /var/log/nginx/imatrix.access.log
backend = polling
filter = imatrix-rest-abuse
maxretry = 5
findtime = 10m
bantime = 12h

---

3.6 Jail: imatrix-ua-spoofing (syntaktisch)

Zweck: syntaktisch falsche Browser‑Strings

Filter: /etc/fail2ban/filter.d/imatrix-ua-spoofing.conf

[Definition]

failregex = ^<HOST> -.*"(GET|POST|HEAD).*" .* "(.*bot|crawler|spider|scan|checker|probe|python|curl|Go-http-client|libwww-perl|masscan|sqlmap|nikto|fimap|zgrab|ZmEu).*Mozilla.*"
            ^<HOST> -.*"(GET|POST|HEAD).*" .* "Mozilla/5\.0\""
            ^<HOST> -.*"(GET|POST|HEAD).*" .* "Mozilla/5\.0 \(compatible\)$"
            ^<HOST> -.*"(GET|POST|HEAD).*" .* "Mozilla/5\.0[^"]{0,10}"$

ignoreregex =

Jail: /etc/fail2ban/jail.d/imatrix-ua-spoofing.local

[imatrix-ua-spoofing]
enabled = true
port = http,https
logpath = /var/log/nginx/imatrix.access.log
backend = polling
filter = imatrix-ua-spoofing
maxretry = 1
findtime = 10m
bantime = 24h

---

3.7 Jail: imatrix-ua-behavior (heuristisch)

Zweck: Browser‑UA + bösartiges Verhalten

Filter: /etc/fail2ban/filter.d/imatrix-ua-behavior.conf

[Definition]

# Browser UA + 404 Flood
failregex = ^<HOST> -.*"(GET|POST|HEAD).*" 404 .* "Mozilla/5\.0.*"

# Browser UA + REST Abuse
            ^<HOST> -.*"(GET|POST).* /index\.php\?rest_route=/wp/v2/.*" .* "Mozilla/5\.0.*"

# Browser UA + wp-login
            ^<HOST> -.*"(GET|POST) /wp-login\.php" .* "Mozilla/5\.0.*"

# Browser UA + xmlrpc
            ^<HOST> -.*"(GET|POST) /xmlrpc\.php" .* "Mozilla/5\.0.*"

# Browser UA + Bot Keywords
            ^<HOST> -.*"(GET|POST|HEAD).*" .* "Mozilla/5\.0.*(scan|checker|probe).*"

ignoreregex =

Jail: /etc/fail2ban/jail.d/imatrix-ua-behavior.local

[imatrix-ua-behavior]
enabled = true
port = http,https
logpath = /var/log/nginx/imatrix.access.log
backend = polling
filter = imatrix-ua-behavior
maxretry = 5
findtime = 5m
bantime = 24h

---

4. Fail2ban‑Tests

4.1 Regex‑Test

fail2ban-regex /var/log/nginx/imatrix.access.log /etc/fail2ban/filter.d/<filter>.conf

4.2 Jail‑Status

fail2ban-client status
fail2ban-client status <jailname>

---

5. Fail2ban‑Reload

sudo systemctl reload fail2ban

---

6. Zusammenfassung

Du hast jetzt ein vollständiges, hochwirksames Fail2ban‑Setup:

Jail	Zweck	Log
nginx-http-auth	HTTP‑Auth‑Fehler	imatrix.error.log
imatrix-wp-login	wp-login/xmlrpc Bruteforce	imatrix.access.log
imatrix-badbots	bekannte Bot‑Netze	imatrix.access.log
imatrix-404-flood	Directory‑Scanner	imatrix.access.log
imatrix-rest-abuse	REST‑API‑Angriffe	imatrix.access.log
imatrix-ua-spoofing	syntaktisches UA‑Spoofing	imatrix.access.log
imatrix-ua-behavior	heuristisches UA‑Spoofing	imatrix.access.log