Fail2Ban
or how to ward off intruders

Access Linux console

This requires access to the linux OS console and you need to install the fail2ban software. For Debian this is done via sudo apt-get install fail2ban.

Key Elements

Use the fail2ban system to ward off high number of requests against the wordpress login and wordpress author pages.

Target Audience

Any security conscious wordpress hosting individual. This works on self hosted wordpress installations, which are NOT behind a CDN.

Strategy

Stop automatic scanning, but still let you in for normal usage. Frankly, if you try to login 6 times with in 1 minute, you are blocked for a day.

How fail2ban works

fail2ban reads the log file and based on your settings determines if a request pattern exceeds the rules. If it is triggered, fail2ban adds to the iptables blocking of the source IP automatically. Blocked IPs are removed after the lock down time is expired. For blocked IPs consecutive requests are restarting the lock down timer.

This usually stops automatic scanning attempts after the initial threshold you allowed.

Example blocking report

Lots of IPs caught.

Discovery through graylog

As I scanned through my logs with graylog this pattern emerged and I add scanning for wp-login and author.php to the fail2ban jails and filters.

Filter settings

This are the settings in /etc/fail2ban/filter.d/wp-login.conf for the filters:


[INCLUDES]
before = common.conf

[Definition]
_daemon = nginxaccess

failregex = ^.*nginxaccess:\s[\w\-.^_]+\s<HOST&amp>\s.*POST.*wp-login

ignoreregex =

This are the settings in /etc/fail2ban/filter.d/wp-author.conf for the filters:

[INCLUDES]
before = common.conf

[Definition]
_daemon = nginxaccess

failregex = ^.*nginxaccess:\s[\w\-.^_]+\s<HOST>\s.*GET.*/\?author=[0-9]+

ignoreregex =

This are the settings in /etc/fail2ban/filter.d/xmlrpc.conf for the filters:


[Definition]
failregex = ^.*nginxaccess:\s[\w\-.^_]+\s<HOST>\s.*POST.*xmlrpc.php

ignoreregex =

Adding it to the jail

Add the following lines to the jail.conf:


[wplogin]
enabled = true
port = http,https
filter = wp-login
logpath = /var/log/syslog
maxretry = 5
bantime = 86400
findtime = 60

[wpauthor]
enabled = true
port = http,https
filter = wp-author
logpath = /var/log/syslog
maxretry = 5
bantime = 86400
findtime = 120

[xmlrpc]
enabled = true
port = http,https
filter = xmlrpc
logpath = /var/log/syslog
maxretry = 5
bantime = 86400
findtime = 60

Need more help?

This works on my NVA (Nginx, Varnish, Apache) setup and is a bit different from the vanilla installation.