[SOLVED] Fail2Ban - How to block BruteForce on install.php files?

Fail2Ban - How to block BruteForce on install.php files?

an IP address attack my server with BruteForce scanning of install.php Wordpress files:

/var/www/vhosts/website1.tld/logs/access_ssl_log:104.248.227.52 - - [28/Jul/2021:08:27:33 +0200] "GET /wp-admin/install.php HTTP/1.1" 200 5503 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36"

/var/www/vhosts/website2.tld/logs/access_ssl_log:104.248.227.52 - - [28/Jul/2021:08:27:43 +0200] "GET /wp-admin/install.php HTTP/1.1" 403 5686 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36"

/var/www/vhosts/website3.tld/logs/access_ssl_log:104.248.227.52 - - [28/Jul/2021:08:27:35 +0200] "GET /wp-admin/install.php HTTP/1.1" 200 6290 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36"

/var/www/vhosts/website4.tld/logs/access_log:104.248.227.52 - - [28/Jul/2021:08:27:44 +0200] "GET /wp/wp-admin/install.php HTTP/1.1" 404 1296 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36"

/var/www/vhosts/website5.tòd/logs/access_ssl_log:104.248.227.52 - - [28/Jul/2021:08:27:41 +0200] "GET /wordpress/wp-admin/install.php HTTP/1.1" 404 6219 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36"

etc...

How can I block this actions?

Please note that install.php is also used for installations and therefore I cannot block any requests!

Thanks for support, Regards, Gian Marco.

Solution

Setup a filter using using a regex to spot hits on the install.php Then a create jail for a lot of hits within a short window. Slightly dirty but this regex might work:

 _log:(<ADDR>).*GET.*install.php