Can’t remember where I got this info from, but it is extremely useful. I have a feeling I pulled bits from over the place. I used this procedure to lock down my Owncloud installation when I had it running.
Test fake logins, look at logs, find the failure line and then
add file in /etc/fail2ban/filter.d/
Copy an existing one that is similar, use http://regex101.com/ to confirm the regex is correct…
Then add the info into /etc/fail2ban/jail.conf
Then test fake logins and make sure in the /var/log… file it’s showing up the line you expect
Run fail2ban-regex /var/log/apache2/ssl_access.log /etc/fail2ban/filter.d/oc-auth.conf
Where the log is the log, and the conf file is the new conf file…make sure it finds the failed lines
Restart fail2ban and test.
To see the banned ip run
fail2ban-client status wp-auth
To unban run
fail2ban-client set wp-auth unbanip **IP Address*