Recently on my project, someone did brute force attack over the login page of WordPress with multiple IPs. In the first response, we have blocked those IP on Nginx conf and later we realized, it would be better if we do it through IPtables. However, this was not enough as we need the manual intervention on the daily basis, hence things were getting worst.
At the later stage, we realized that we can block the IP’s dynamically using Fail2ban which can monitor the Nginx logs. For more details and installation guide please refer the blog written by Tej Prakash Sharma
Use Case: From any IP if there are more than 10 POST call over wp-login.php then Block IP for 20 mins in IPtables and send an email for the same along with IP’s. Then lastly unblock the IP’s which got blocked for that duration.
Here is the prerequisite before we block attacks on WordPress login
- Configure fail2ban
- Configure MTA like postfix or sendmail.
In this article, we will give step-by-step instructions to block IP using Fail2ban. To do so, we need to follow these steps:
- We have to create the filter in which we have to use the regular expression. Using the regular expression fail2ban will monitor the Nginx logs with POST call for wp-login.php
- Create filter file under /etc/fail2ban/filter.d/ with name like wp-login.conf. After that, we will write the regular expression according to the log format to capture the POST call for wp-login.php.Here is the example for both Nginx logs and syntax of the file.
184.108.40.206 - - [27/Jul/2015:13:14:11 +0530] "POST /wp-login.php HTTP/1.1" 302 5 "http://localhost/wp-login.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36"
Syntax of File : wp-login.conf
[Definition] failregex = ^<HOST> -.* "POST /wp-login.php .* ignoreregex =
- Now test If regular expression is able to catch POST call
fail2ban-regex /var/log/nginx/access.log /etc/fail2ban/filter.d/wp-login.conf
- Now add the rule in /etc/fail2ban/jail.conf. Here is example rule
[wp-login] enabled = true filter = wp-auth action = iptables[name=http, port="http,https", protocol=tcp] sendmail-whois[name=Login.php, firstname.lastname@example.org, email@example.com] logpath = /var/log/nginx/access.log bantime = 1200 findtime = 60 ignoreip = 220.127.116.11/32 18.104.22.168/32 maxretry = 3
enabled: the section wp-login is enabled
action: an action defines several commands which are executed at different moments. In this particular action, Http and Https ports will be monitored and once any of the IP got blocked, an email will be sent.
Filter: Name of the filter to be used by the jail to detect matches. Each single match by a filter increments the counter within the jail
logpath: Path to the log file which is provided to the filter
bantime: Duration (in seconds) for IP to be banned for.
findtime: The counter is set to zero if no match is found within “findtime” seconds.
maxretry: Number of matches
Last step, restart the fail2ban service
service fail2ban restart