Web Application Templates
Protection templates for common web applications.
wordpress
WordPress login brute force and XML-RPC attack protection.
| Setting | Default |
|---|---|
| Port | 80, 443 |
| Log Path | /var/log/apache2/access.log |
| Max Retry | 5 |
| Find Time | 10 minutes |
| Ban Time | 1 hour |
Detected Patterns
/wp-login.phpaccess (any response)/xmlrpc.phpPOST requests/wp-admin/authentication failures
Why Catch 200 Responses?
WordPress returns 200 for failed logins (bad UX practice). The filter catches all login attempts and relies on maxretry threshold.
Configuration Tips
Nginx Log Path:
logpath: /var/log/nginx/access.log
Multiple Sites:
logpath: /var/log/nginx/*access.log
wordpress-hard
Aggressive WordPress protection - catches exploit scanners.
| Setting | Default |
|---|---|
| Port | 80, 443 |
| Log Path | /var/log/apache2/access.log |
| Max Retry | 2 |
| Find Time | 10 minutes |
| Ban Time | 24 hours |
Detected Patterns
/wp-config.phpaccess attempts (configuration file)/wp-includes/*.php?with query strings/wp-content/plugins/*.php?with query strings- User enumeration via REST API
Use Case
Enable for sites under active attack or when you notice scanning in logs.
May cause false positives with some plugins that have unusual URL patterns.
phpmyadmin
phpMyAdmin authentication failures.
| Setting | Default |
|---|---|
| Port | 80, 443 |
| Log Path | /var/log/apache2/error.log |
| Max Retry | 5 |
| Find Time | 10 minutes |
| Ban Time | 1 hour |
Detected Patterns
- User denied messages
- 401 responses to
/phpmyadmin/or/pma/
Security Recommendation
phpMyAdmin is heavily targeted. Consider:
- Rename the URL path
- Restrict by IP
- Add HTTP Basic Auth layer
- Use SSH tunnel instead
nextcloud
Nextcloud login brute force protection.
| Setting | Default |
|---|---|
| Port | 80, 443 |
| Log Path | /var/www/nextcloud/data/nextcloud.log |
| Max Retry | 5 |
| Find Time | 10 minutes |
| Ban Time | 1 hour |
Detected Patterns
- Login failed messages
- Trusted domain errors
Log Path
Nextcloud has its own log file, not the web server log:
# Standard installation
logpath: /var/www/nextcloud/data/nextcloud.log
# Docker (example)
logpath: /path/to/nextcloud/data/nextcloud.log
Configuration
Ensure Nextcloud logs to file:
// config/config.php
'log_type' => 'file',
'logfile' => '/var/www/nextcloud/data/nextcloud.log',
'loglevel' => 2,
grafana
Grafana dashboard login failures.
| Setting | Default |
|---|---|
| Port | 3000 |
| Log Path | /var/log/grafana/grafana.log |
| Max Retry | 5 |
| Find Time | 10 minutes |
| Ban Time | 1 hour |
Detected Patterns
- "Invalid username or password"
- "invalid username or password" (different log format)
Log Path Options
| Setup | Path |
|---|---|
| Standard | /var/log/grafana/grafana.log |
| Docker | Container log or volume mount |
FTP Templates
vsftpd
| Setting | Default |
|---|---|
| Port | 20, 21, 990 |
| Log Path | /var/log/vsftpd.log |
| Max Retry | 5 |
proftpd
| Setting | Default |
|---|---|
| Port | 20, 21, 990 |
| Log Path | /var/log/proftpd/proftpd.log |
| Max Retry | 5 |
pure-ftpd
| Setting | Default |
|---|---|
| Port | 20, 21, 990 |
| Log Path | /var/log/syslog |
| Max Retry | 5 |
Proxy Templates
traefik-http
Traefik reverse proxy errors (JSON logs).
| Setting | Default |
|---|---|
| Port | 80, 443 |
| Log Path | /var/log/traefik/access.log |
| Max Retry | 10 |
Detects 401/403/404 responses from JSON-formatted access logs.
caddy-http
Caddy server errors (JSON logs).
| Setting | Default |
|---|---|
| Port | 80, 443 |
| Log Path | /var/log/caddy/access.log |
| Max Retry | 10 |