{"id":24218,"date":"2015-07-29T23:20:57","date_gmt":"2015-07-29T17:50:57","guid":{"rendered":"http:\/\/www.tothenew.com\/blog\/?p=24218"},"modified":"2017-04-25T10:01:43","modified_gmt":"2017-04-25T04:31:43","slug":"block-admin-login-page-attack-using-fail2ban","status":"publish","type":"post","link":"https:\/\/www.tothenew.com\/blog\/block-admin-login-page-attack-using-fail2ban\/","title":{"rendered":"Block admin login page attack using Fail2ban"},"content":{"rendered":"<p>Recently on my project, someone did brute\u00a0force attack over the login page of WordPress with\u00a0multiple\u00a0IPs. In the first response, we have blocked those IP on Nginx conf and later we realized, it would be better if we do it through IPtables. However, this was not enough as we need the manual intervention on the daily basis, hence things were getting worst.<\/p>\n<p>At the later stage, we realized that we can block the IP&#8217;s dynamically using Fail2ban which can monitor the Nginx logs. For more details and installation guide please refer the blog written by <a href=\"http:\/\/www.tothenew.com\/blog\/blocking-ip-addresses-with-false-intentions-using-fail2ban\/\">Tej Prakash Sharma<\/a><\/p>\n<p><strong>Use Case:<\/strong> From any IP if there are more than 10 <span style=\"color: #ffcc00;\">POST<\/span> call over wp-login.php then Block IP for 20 mins in IPtables and send an email for the same along with IP&#8217;s. \u00a0Then lastly unblock the IP&#8217;s which got blocked for that duration.<\/p>\n<p>Here is the prerequisite before we block attacks on WordPress login<\/p>\n<ul>\n<li>Configure\u00a0<a href=\"http:\/\/www.tothenew.com\/blog\/fail2ban-port-80-to-protect-sites-from-dos-attacks\/\">fail2ban<\/a><\/li>\n<li>Configure MTA like postfix or sendmail.<\/li>\n<\/ul>\n<p>In this article, we will give step-by-step instructions to block IP using Fail2ban. To do so, we need to follow these steps:<\/p>\n<p><span style=\"color: #ffcc00;\"><strong>Create Filter<\/strong><\/span><\/p>\n<ul>\n<li>We have to create the filter in which we have to use the regular expression. Using the\u00a0regular expression fail2ban will monitor the Nginx logs with POST call for wp-login.php<\/li>\n<li>Create filter file under\u00a0<strong>\/etc\/fail2ban\/filter.d\/\u00a0<\/strong>with name like <strong>wp-login.conf<\/strong>. After that, we will write the regular expression according to the log format to capture the POST call for wp-login.php.Here is the example for both Nginx logs and syntax of the file.<\/li>\n<\/ul>\n<p><strong>\u00a0 \u00a0 \u00a0 Log format<\/strong><\/p>\n<p>[js]52.2.5.129 &#8211; &#8211; [27\/Jul\/2015:13:14:11 +0530] &quot;POST \/wp-login.php HTTP\/1.1&quot; 302 5 &quot;http:\/\/localhost\/wp-login.php&quot; &quot;Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/41.0.2272.89 Safari\/537.36&quot; \u00a0[\/js]<\/p>\n<p><strong>\u00a0 \u00a0 \u00a0 Syntax of File<\/strong> :\u00a0<strong>wp-login.conf<\/strong><\/p>\n<p>[js][Definition]<br \/>\nfailregex = ^&lt;HOST&gt; -.* &quot;POST \/wp-login.php .*<br \/>\nignoreregex =[\/js]<\/p>\n<ul>\n<li>Now test If regular expression is able to catch POST call<\/li>\n<\/ul>\n<p>[js] fail2ban-regex \/var\/log\/nginx\/access.log \/etc\/fail2ban\/filter.d\/wp-login.conf[\/js]<\/p>\n<p><strong><span style=\"color: #ffcc00;\">Jail.conf Rule<\/span><\/strong><\/p>\n<ul>\n<li>Now add the rule in\u00a0<strong>\/etc\/fail2ban\/jail.conf<\/strong>. Here is example rule<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>[js][wp-login]<br \/>\n\u00a0 \u00a0 \u00a0 enabled = true<br \/>\n\u00a0 \u00a0 \u00a0 filter = wp-auth<br \/>\n\u00a0 \u00a0 \u00a0 action = iptables[name=http, port=&quot;http,https&quot;, protocol=tcp]<br \/>\n\u00a0 \u00a0 \u00a0 sendmail-whois[name=Login.php, dest=prashant.sharma@tothenew.com, sender=fail2ban@tothenew.com]<br \/>\n\u00a0 \u00a0 \u00a0 logpath = \/var\/log\/nginx\/access.log<br \/>\n\u00a0 \u00a0 \u00a0 bantime = 1200<br \/>\n\u00a0 \u00a0 \u00a0 findtime = 60<br \/>\n\u00a0 \u00a0 \u00a0 ignoreip = 11.11.111.11\/32 82.82.82.87\/32<br \/>\n\u00a0 \u00a0 \u00a0 maxretry = 3 [\/js]<\/p>\n<p><strong>Attributes explanation<\/strong><\/p>\n<p><strong>enabled:<\/strong> the section wp-login is enabled<br \/>\n<strong>action:<\/strong> an action defines several commands which are executed at different moments. In this particular action, Http and Https ports will be monitored and once any of the \u00a0IP got blocked, an email will be sent.<br \/>\n<strong>Filter:<\/strong> Name of the filter to be used by the jail to detect matches. Each single match by a filter increments the counter within the jail<br \/>\n<strong>logpath:<\/strong> Path to the log file which is provided to the filter<br \/>\n<strong>bantime:\u00a0<\/strong>Duration (in seconds) for IP to be banned for.<br \/>\n<strong>findtime:<\/strong> The counter is set to zero if no match is found within &#8220;findtime&#8221; seconds.<br \/>\n<strong>maxretry:<\/strong> Number of matches<\/p>\n<p><span style=\"color: #ffcc00;\"><strong>Last step, restart the fail2ban service<\/strong><\/span><\/p>\n<p>[js]service fail2ban restart[\/js]<\/p>\n<p>Reference: \u00a0http:\/\/www.fail2ban.org\/wiki\/index.php<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Recently on my project, someone did brute\u00a0force attack over the login page of WordPress with\u00a0multiple\u00a0IPs. In the first response, we have blocked those IP on Nginx conf and later we realized, it would be better if we do it through IPtables. However, this was not enough as we need the manual intervention on the daily [&hellip;]<\/p>\n","protected":false},"author":120,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":24},"categories":[1174,1],"tags":[521,1714,1877],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/24218"}],"collection":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/users\/120"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/comments?post=24218"}],"version-history":[{"count":0,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/24218\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/media?parent=24218"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/categories?post=24218"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/tags?post=24218"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}