apache error wp-login.php & testproxy.php not found or unable to stat

Hi I’ve been getting these errors in my apache error log (/var/log/apache2/error.log) -

[Fri Jul 14 20:03:05.655198 2017] [:error] [pid 27999] [client] script '/var/www/html/wp-login.php' not found or unable to stat
[Sat Jul 15 00:47:36.775033 2017] [:error] [pid 30209] [client] script '/var/www/html/testproxy.php' not found or unable to stat

I’ve installed fail2ban and can see in the log (/var/log/fail2ban.log) its been banning IPs for the jails setup -

2017-07-15 01:01:11,573 fail2ban.actions: WARNING [wordpress-login] Ban
2017-07-15 07:48:29,518 fail2ban.actions: WARNING [wordpress-xmlrpc] Ban
2017-07-15 07:48:30,312 fail2ban.actions: WARNING [http-get-dos] Ban
2017-07-15 07:57:15,893 fail2ban.actions: WARNING [ssh] Ban
2017-07-15 07:57:16,139 fail2ban.actions: WARNING [apache-nokiddies] Ban

What can I do to stop wp-login.php and testproxy.php from appearing in the apache error log? Have I setup fail2ban wrong or am I missing something?

Below are all the fails inside jail.local -

enabled = true
filter = wordpress-hard
logpath =  /var/log/auth.log
maxretry = 1
port = http,https

enabled  = true
filter   = wordpress-xmlrpc
action   = iptables-multiport[name=WordPressXMLRPC, port="http,https"]
logpath  = /var/log/apache2/*access.log
maxretry = 1

enabled = true
port = http,https
filter = wordpress-login
action = iptables-multiport[name=wordpress, port="http,https", protocol=tcp]
logpath = /var/log/apache2/*access.log
maxretry = 2

enabled = true
filter = cron
action = iptables[name=cron, port="http,https", protocol=tcp]
logpath = /var/log/apache2/access.log
maxretry = 1

enabled  = true
port     = http,https
filter   = apache-livewhale
logpath  = /var/log/apache*/*error.log
maxretry = 0

enabled = true
port = http,https
filter = http-get-dos
logpath = /var/log/apache2/access.log
maxretry = 1
action = iptables[name=HTTP, port=http, protocol=tcp]

enabled  = true
port     = http,https
filter   = apache-nokiddies
logpath  = /var/log/apache*/*access.log
maxretry = 1


failregex = ^<HOST> -.*"(GET|POST).*
ignoreregex =


failregex = ^<HOST> .*"GET .*w00tw00t
# try to access to admin directory
            ^<HOST> .*"GET .*admin.* 403
            ^<HOST> .*"GET .*admin.* 404
# try to access to install directory
            ^<HOST> .*"GET .*install.* 404
# try to access to phpmyadmin
            ^<HOST> .*"GET .*dbadmin.* 404
            ^<HOST> .*"GET .*myadmin.* 404
            ^<HOST> .*"GET .*MyAdmin.* 404
            ^<HOST> .*"GET .*mysql.* 404
            ^<HOST> .*"GET .*websql.* 404
            ^<HOST> .*"GET \/pma\/.* 404
# try to access to wordpress (we use another CMS)
            ^<HOST> .*"GET .*wp-content.* 404
            ^<HOST> .*"GET .*wp-login.* 404
# try to access to typo3 (we use another CMS)
            ^<HOST> .*"GET .*typo3.* 404
# try to access to tomcat (we do not use it)      
            ^<HOST> .*"HEAD .*manager.* 404
# try to access various strange scripts and malwares
            ^<HOST> .*"HEAD .*blackcat.* 404
            ^<HOST> .*"HEAD .*sprawdza.php.* 404

ignoreregex = 


before = common.conf


acunetix = response\.write\(\d+\*\d+\)|now\(\)|sysdate\(\)|sleep\(\d*\)|waitfor delay|pg_sleep\(\d*\)|';|' AND|" AND|set\|set\&set|SomeCustomInjectedHeader|;select
acunetix_invalid = /etc/|/invalid
kidc = GetSimple_2\.01|Factux|Madirish_Webmail|idioma|jevoncms|facil-cms|phpunity\.newsmanager|dloadstplates|phpdirectorgameedition|tendersystem|mariecms|microcms|micro_cms_files|vtigercrm|dnet_admin|FunGamez|kipper20|skysilver
ripe = ACGVnews|AdaptCMS_Lite_1\.4_2|BetaBlockModules|Contenido_4\.8\.4|DFF_PHP_FrameworkAPI-latest|Dir_phNNTP|DynaTracker_v151|Easysite-2\.0_path|FormTools1_5_0|Mamblog|NuclearBB|OpenSiteAdmin|PHPDJ_v05|SPIP-v1-7-2|SQuery|SazCart|WordPress_Files|advanced_comment_system|modx-0\.9\.6\.2|mxBB|olbookmarks-0\.7\.4|ossigeno-suite-2\.2_pre1|phpAdsNew-2\.0\.7|phpBB2|phpMyConferences_8\.0\.2|phpQLAdmin-2\.2\.7|phpSiteBackup-0\.1|plume-1\.1\.3|pmapper-3\.2-beta3|pmi_v28|podcastgen1\.0beta2|post_static_0-11|qsgen_0\.7\.2c
ripe_nostat = 123flashchat|BE_config|CoupleDB|MOD_forum_fields_parse|addvip|admin\.loudmouth|anzagien|auth\.sessions\.inc|b2verifauth|bb_admin|ch_readalso|cls_fast_template|ezusermanager_pwd_forgott|fcring|fonctions_racine|hioxBannerRotate|functions_user_viewed_posts|pafiledb_constants|themen_portal_mitte|usercp_register|migrateNE2toNE3|naboard_pnr|nukebrowser|php-include-robotsservices

# Option:  failregex
# Notes.:  Regexp to catch vulnerability scanners.
# Values:  TEXT
failregex = ^\[[^\]]+\] \[error\] \[client <HOST>\].*File does not exist: .*(%(acunetix)s).*$
            ^\[[^\]]+\] \[error\] \[client <HOST>\].*Invalid URI in request .*(%(acunetix_invalid)s).*$
            ^\[[^\]]+\] \[error\] \[client <HOST>\].*File does not exist: .*/(%(kidc)s)$
            ^\[[^\]]+\] \[error\] \[client <HOST>\].*File does not exist: .*/(%(ripe)s)$
            ^\[[^\]]+\] \[error\] \[client <HOST>\].*script .*/(%(ripe_nostat)s)\.php.* unable to stat$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
ignoreregex =


failregex = ^<HOST> .*POST .*wp-cron\.php.*
ignoreregex =


before = common.conf
_daemon = (?:wordpress|wp)
failregex = ^%(__prefix_line)sAuthentication attempt for unknown user .* from <HOST>$
            ^%(__prefix_line)sBlocked user enumeration attempt from <HOST>$
            ^%(__prefix_line)sBlocked authentication attempt for .* from <HOST>$
            ^%(__prefix_line)sPingback error .* generated from <HOST>$
            ^%(__prefix_line)sSpam comment \d+ from <HOST>$
            ^%(__prefix_line)sXML-RPC authentication attempt for unknown user .* from <HOST>$
            ^%(__prefix_line)sXML-RPC multicall authentication failure from <HOST>$
ignoreregex =


failregex = ^<HOST> .*POST .*xmlrpc\.php.*
ignoreregex =


failregex = ^<HOST> .* "POST .*wp-login.php
ignoreregex =

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

> What can I do to stop wp-login.php and testproxy.php from appearing in the apache error log?

For fail2ban to work, I believe you need these items to appear in your error log. Fail2ban reads the error log, checks for these items, and then bans the offenders using iptables.

Hope this helps :)