Block admin login page attack using Fail2ban

29 / Jul / 2015 by Prashant Sharma 0 comments

Recently on my project, someone did brute force attack over the login page of WordPress with multiple IPs. In the first response, we have blocked those IP on Nginx conf and later we realized, it would be better if we do it through IPtables. However, this was not enough as we need the manual intervention on the daily basis, hence things were getting worst.

At the later stage, we realized that we can block the IP’s dynamically using Fail2ban which can monitor the Nginx logs. For more details and installation guide please refer the blog written by Tej Prakash Sharma

Use Case: From any IP if there are more than 10 POST call over wp-login.php then Block IP for 20 mins in IPtables and send an email for the same along with IP’s.  Then lastly unblock the IP’s which got blocked for that duration.

Here is the prerequisite before we block attacks on WordPress login

  • Configure fail2ban
  • Configure MTA like postfix or sendmail.

In this article, we will give step-by-step instructions to block IP using Fail2ban. To do so, we need to follow these steps:

Create Filter

  • We have to create the filter in which we have to use the regular expression. Using the regular expression fail2ban will monitor the Nginx logs with POST call for wp-login.php
  • Create filter file under /etc/fail2ban/filter.d/ with name like wp-login.conf. After that, we will write the regular expression according to the log format to capture the POST call for wp-login.php.Here is the example for both Nginx logs and syntax of the file.

      Log format

52.2.5.129 - - [27/Jul/2015:13:14:11 +0530] "POST /wp-login.php HTTP/1.1" 302 5 "http://localhost/wp-login.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36"  

      Syntax of Filewp-login.conf

[Definition]
failregex = ^<HOST> -.* "POST /wp-login.php .*
ignoreregex =
  • Now test If regular expression is able to catch POST call
 fail2ban-regex /var/log/nginx/access.log /etc/fail2ban/filter.d/wp-login.conf

Jail.conf Rule

  • Now add the rule in /etc/fail2ban/jail.conf. Here is example rule

 

[wp-login]
      enabled = true
      filter = wp-auth
      action = iptables[name=http, port="http,https", protocol=tcp]
      sendmail-whois[name=Login.php, dest=prashant.sharma@tothenew.com, sender=fail2ban@tothenew.com]
      logpath = /var/log/nginx/access.log
      bantime = 1200
      findtime = 60
      ignoreip = 11.11.111.11/32 82.82.82.87/32
      maxretry = 3 

Attributes explanation

enabled: the section wp-login is enabled
action: an action defines several commands which are executed at different moments. In this particular action, Http and Https ports will be monitored and once any of the  IP got blocked, an email will be sent.
Filter: Name of the filter to be used by the jail to detect matches. Each single match by a filter increments the counter within the jail
logpath: Path to the log file which is provided to the filter
bantime: Duration (in seconds) for IP to be banned for.
findtime: The counter is set to zero if no match is found within “findtime” seconds.
maxretry: Number of matches

Last step, restart the fail2ban service

service fail2ban restart

Reference:  http://www.fail2ban.org/wiki/index.php

Thanks
Prashant Sharma

 

 

 

FOUND THIS USEFUL? SHARE IT

Leave a comment -