Is there a way to stop a WP hacking bot with null user-agent with fail2ban?

[chall3ng3r]

Hi all,

Fail2ban is already installed. I hope there's some easy way I can create a rule for all my WP sites to ban the bot IP which is hitting random pages like hunting for old plugins or hacked files.

For now I've created a rule in vhost to send 403 to any request which comes with null user-agent, it works.

It'd be great if fail2ban can pick up the 403 and 503 codes and ban those IPs which continuously hit all my WP websites. Maybe a feature in CP UI to have something for this?

[atiqsamtia]

I block this traffic on cloudflare with Security Rule (Aailable on FREE Plan too)
This saves CPU usage on the VPS as no request hits VPS not even fail2ban.

(not starts_with(http.request.uri.path, "/wp-admin/") and ends_with(http.request.uri.path, ".php"))

[s-a-s-k-i-a]

Cloudflare WAF in front is genuinely the cleanest path if you've got CF on the domain — your VPS never sees the traffic, no fail2ban cycles burned. But the fail2ban setup you're asking about is straightforward on top of the 403 your vhost rule is already producing.

CloudPanel v2 writes per-site logs under /home/$siteUser/logs/ (see the Logs docs). The exact filename for nginx access depends on your vhost template — quickest way to confirm on your own box:

grep -h "access_log" /etc/nginx/sites-enabled/*.conf | head -5

Plug the resolved pattern into the jail's logpath. Most installs end up at something like /home/<siteUser>/logs/nginx/access.log, which a glob covers across all sites.

Filter — /etc/fail2ban/filter.d/nginx-bad-ua.conf:

[Definition]
failregex = ^<HOST>\s.*"(GET|POST|HEAD)\s[^"]*"\s(403|503)\s
ignoreregex =

Jail — append to /etc/fail2ban/jail.local:

[nginx-bad-ua]
enabled  = true
port     = http,https
filter   = nginx-bad-ua
logpath  = /home/*/logs/nginx/access.log
maxretry = 3
findtime = 600
bantime  = 86400

fail2ban-client reload && fail2ban-client status nginx-bad-ua.

Two things to watch:

• If Cloudflare is proxying the site, your nginx logs will show CF edge IPs and you'll ban Cloudflare. Restore the real IP first — set_real_ip_from <CF-range>; plus real_ip_header CF-Connecting-IP; in the server block. CloudPanel's per-site Cloudflare toggle does exactly this; alternatively keep the ranges in a snippet (e.g. /etc/nginx/snippets/cloudflare.conf) and include it from your vhost template.

• Log read permissions: fail2ban runs as its own user. On stock CloudPanel the site user owns the log dir; fail2ban doesn't have read access by default. One-time per site: setfacl -m u:fail2ban:rx /home/<siteUser>/logs/nginx /home/<siteUser>/logs/nginx/access.log, or bake it into your provisioning script.

maxretry=3 is aggressive on purpose — null-UA bots cycle IPs fast and three 403s in ten minutes is essentially always malicious. Bump to 10 if you ever catch a legit bot in the net.