Fail2ban is a popular intrusion prevention software written in python that is intended to protect your server from single-source brute force attacks. By default it will watch your SSH service on port 22 but it also does much more.You can find many filters on the web, or write your own, that match a specific set of rules based on some log. Fail2ban can also be set to block the IP address of people trying to log into your WordPress website.
Fail2ban (F2B) is easy to install, just use APT in a shell prompt:
apt-get update && apt-get install fail2ban -y
F2B installs a few scripts and a deamon service to run it at boot. You have to configurate F2B for use with WordPress so It will recognize all the nasty things like SQL-injections, login bots and port scans.
So, first of all we will make WordPress log all authentication events to the system authentication log file (the auth-log, on Ubuntu found in /var/log/auth.log). You might write your own plugin, but the WP fail2ban plugin does exactly this and have a few very useful features. Without any more fuzz, WordPress will now log all authentication events.
So, first of all we will make WordPress log all authentication events to the system authentication log file (the auth-log, on Ubunutu found in /var/log/auth.log). You might write your own plugin, but the WP fail2ban plugin does exactly this and have a few very useful features. Without any more fuzz, WordPress will now log all authentication events.
Note that if you are behind a reverse proxy, it is extremely important that you set the WP_FAIL2BAN_PROXIES constant. Otherwise you will end up banning your proxy, blocking all incoming requests from everybody. Read the FAQ for info on this.
Configuration of Filter.d
The F2B filter configuration files are stored in /etc/fail2ban/filter.d Most filters are disabled and there is no filter for WordPress so let’s make one by adding this section (at the bottom or #http services parts):
[wordpress] enabled = true
port = http,https
filter = wordpress-ban
logpath = ***/path/to/nginx/*** access.log
maxretry = 5
bantime = 3600
After this, fail2ban will search for a wordpress.conf file with al the wordpress rules. The WordPress fail2ban plugin gives a nice default wordpress.conf within the install. So move this file to the F2B directory
mv /var/www/Wordpress/wp-content/plugins
Option 2 is to redownload just this file right away to your F2B directory:
cd /etc/fail2ban/filter.d wget http://plugins.svn.wordpress.org/wp-fail2ban/trunk/wordpress.conf
Customize some local rules for your system at the jail.local file. Don’t trow to much info at the wordpresss.conf file because it can be overwriten with an update of fail2ban. So instead of the wordpress.conf file, edit jail.local to include some local rules like:
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1 192.168.0.99
bantime = 600
maxretry = 3
# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
# This issue left ToDo, so polling is default backend for now
backend = polling
#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost
# Default action to take: ban only
action = iptables[name=%(__name__)s, port=%(port)s]
[postfix]
enabled = false port = smtp filter = postfix logpath = /var/log/mail.log maxretry = 5 nginx-http-auth] enabled = true filter = nginx-http-auth port = http,https logpath = /var/log/nginx/error.log
You can find great examples online, take a look at digitalocean.com for a Nginx (my webservice)
Enable fail2ban
Save your files, and restart (or reload) fail2ban service with:
/etc/init.d/fail2ban restart