how to protect Wordpress login with fail2ban

[bad_brain]

here's the scenario:
you have a whole bunch of Wordpress sites hosted on your server, and because it's widely used (most likely even #1 of CMS platforms) it's attacked a lot...especially with lots of silly login attempts. first of all you can't trust that your customers always use secure passwords, and then you also can't expect them to install (AND update!) plugins to secure their sites from multiple login attempts..well, ok, some hosts do that, but I am against forcing people to install stuff.

now here's the solution: use fail2ban. often the fail2ban rules are a bit of a pain in the rear to set up, but with Wordpress you can do it actually really simple.
what every login attempt has in common? right: a POST to wp-login.php.

so, set up a rule for that, name the file wordpress-login.conf (for example), and place it in /etc/fail2ban/filter.d (Debian that is, path might differ on other distros)
the rule is:

Code: Select all

[Definition]
failregex = <HOST>.*] "POST /wp-login.php
ignoreregex =

next enable the rule in /etc/fail2ban/jail.conf:

Code: Select all

[wordpress-login]
enabled = true
port = http,https
filter = wordpress-login
logpath = /var/log/apache2/*-combined.log
maxretry = 3
findtime = 120

and here you can do a little trick by using a wildcard in the log path (you might have to adjust it for your log names)....that way you can fetch the logs for ALL websites hosted at once, so you only have to set up ONE rule to secure all sites...nifty, isn't it?
the rest should be self-explanatory...max. 3 login attempts within 120 minutes, then ban.

and voila: enjoy your logs getting a little slimmer again...

[ayu]

ah sweet!

Might try this later once my server gets back up

[bad_brain]

works like a charm:

Code: Select all

2014-06-08 05:14:17,109 fail2ban.actions: WARNING [wordpress-login] Ban 173.232.104.157
2014-06-08 05:24:17,756 fail2ban.actions: WARNING [wordpress-login] Unban 173.232.104.157
2014-06-08 05:38:15,660 fail2ban.actions: WARNING [wordpress-login] Ban 217.137.225.153
2014-06-08 05:39:00,718 fail2ban.actions: WARNING [wordpress-login] Ban 84.18.132.17
2014-06-08 05:39:36,766 fail2ban.actions: WARNING [wordpress-login] Ban 177.32.126.195
2014-06-08 05:40:03,803 fail2ban.actions: WARNING [wordpress-login] Ban 200.193.237.107
2014-06-08 05:48:16,331 fail2ban.actions: WARNING [wordpress-login] Unban 217.137.225.153
2014-06-08 05:49:01,389 fail2ban.actions: WARNING [wordpress-login] Unban 84.18.132.17
2014-06-08 05:49:37,437 fail2ban.actions: WARNING [wordpress-login] Unban 177.32.126.195
2014-06-08 05:50:04,475 fail2ban.actions: WARNING [wordpress-login] Unban 200.193.237.107
2014-06-08 06:20:25,412 fail2ban.actions: WARNING [wordpress-login] Ban 201.99.5.199

[bad_brain]

just a normal day on a server with ~50 WP sites:

http://code.suck-o.com/42563" onclick="window.open(this.href);return false;

[maboroshi]

Oh this looks interesting.

I wonder if it would work the same with web2py admin pages as well as login pages for users. Seeing as the logins for users will always direct to the controller HOST/default_controller/user/login ... eg HOST/user/login

Nice one bad_brain and very useful

*cheers

Mabo

[bad_brain]

sure, should work the same way! a login is always a POST request, so you can filter the logs by simply adjusting the URL pattern...