I don't know of a specific addon for this, but basically it addon would have to use the php openlog functions to log failed access attempts that fail2ban could then scan. The general idea is that you are only logging the failed attempts.
However you could also simply look for any attempts in your access.log file, and make the assumption that if the same IP is logging many attempts in a short period, they are attempt to hack. This approach should work with your current log files.
Since I only use Nginx these days, I'll post what I would do as a quick stop on that setup.
I use a separate log file per "site" in the server definition. If you only have one site on a VPS then using the master Nginx access.log file would be fine. Be sure to use logrotate, you don't want to scan an access log that contains weeks of data. It is this access.log file that will be scanned with fail2ban
I use a specific log format for my nginx logs (nginx.conf) it looks like
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
which gives me entries like the following in the Access.log files
xxx.xxx.xxx.xxx - - [25/Dec/2016:07:02:36 -0600] "GET /index.php?action=login HTTP/1.1" 200 5538 "http://www.yoursite.tld/index. php?action=forum" "Mozilla/5.0 (iPad; CPU OS 10_1_1 like Mac OS X) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0 Mobile/14B100 Safari/602.1" "-"
using a fail2ban regex like
^<HOST>.*GET /index.php\?action=login\s.*$
will find all the login attempts per IP for this log style, if your log file is different, just update the regex to accomidate. So a basic elkarte-login.conf that you would place in your fail2ban filter.d directory would look like
#
# Login filter /etc/fail2ban/filter.d/elkarte-login.conf:
#
# Blocks IPs that attempt to authenticate to often
#
# Scan access log for attempts to login or login2
[Definition]
failregex = ^<HOST>.*GET /index.php\?action=login\s.*$
^<HOST>.*GET /index.php\?action=login2;quicklogin\s.*$
^<HOST>.*POST /index.php\?action=login2;quicklogin\s.*$
ignoreregex =
You can test that file works by running
fail2ban-regex /var/log/nginx/access.log /etc/fail2ban/filter.d/elkarte-login.conf
will show the number of lines found (not the number it would ban, its just a test of the conf file)
Then in your jail.local file, something like (make sure you point to the directory of your sites access log in the logpath=) something like this. so anyone who has attempted to login > 6 times in 4 mins (240 seconds) is blocked for 10 min (600 seconds).
# Block anyone failing to authenticate using our applications log in page
[elkarte-login]
enabled = true
filter = elkarte-login
action = iptables-multiport[name=NoLoginFailures, port="http,https"]
logpath = /var/log/nginx*/*access*.log
findtime = 240
bantime = 600
maxretry = 6
UNTESTED !!!!