Fail2Ban
or how to ward off intruders

Access Linux console
This requires access to the linux OS console and you need to install the fail2ban software. For Debian this is done via sudo apt-get install fail2ban
.
Key Elements
Use the fail2ban system to ward off high number of requests against the wordpress login and wordpress author pages.
Target Audience
Any security conscious wordpress hosting individual. This works on self hosted wordpress installations, which are NOT behind a CDN.
Strategy
Stop automatic scanning, but still let you in for normal usage. Frankly, if you try to login 6 times with in 1 minute, you are blocked for a day.
How fail2ban works
fail2ban reads the log file and based on your settings determines if a request pattern exceeds the rules. If it is triggered, fail2ban adds to the iptables blocking of the source IP automatically. Blocked IPs are removed after the lock down time is expired. For blocked IPs consecutive requests are restarting the lock down timer.
This usually stops automatic scanning attempts after the initial threshold you allowed.

Discovery through graylog
As I scanned through my logs with graylog this pattern emerged and I add scanning for wp-login
and author.php
to the fail2ban jails and filters.


Filter settings
This are the settings in /etc/fail2ban/filter.d/wp-login.conf
for the filters:
[INCLUDES]
before = common.conf
[Definition]
_daemon = nginxaccess
failregex = ^.*nginxaccess:\s[\w\-.^_]+\s<HOST&>\s.*POST.*wp-login
ignoreregex =
This are the settings in /etc/fail2ban/filter.d/wp-author.conf
for the filters:
[INCLUDES]
before = common.conf
[Definition]
_daemon = nginxaccess
failregex = ^.*nginxaccess:\s[\w\-.^_]+\s<HOST>\s.*GET.*/\?author=[0-9]+
ignoreregex =
This are the settings in /etc/fail2ban/filter.d/xmlrpc.conf
for the filters:
[Definition]
failregex = ^.*nginxaccess:\s[\w\-.^_]+\s<HOST>\s.*POST.*xmlrpc.php
ignoreregex =
Adding it to the jail
Add the following lines to the jail.conf:
[wplogin]
enabled = true
port = http,https
filter = wp-login
logpath = /var/log/syslog
maxretry = 5
bantime = 86400
findtime = 60
[wpauthor]
enabled = true
port = http,https
filter = wp-author
logpath = /var/log/syslog
maxretry = 5
bantime = 86400
findtime = 120
[xmlrpc]
enabled = true
port = http,https
filter = xmlrpc
logpath = /var/log/syslog
maxretry = 5
bantime = 86400
findtime = 60

Need more help?
This works on my NVA (Nginx, Varnish, Apache) setup and is a bit different from the vanilla installation.