Hello Ian and all
On 04/10/15 21:09, Ian wrote:
> Rodrigo Campos said:
>
>> wp-fail2ban can be used with IPv4, IPv6 and doesn't take into account
>> the login
>> that worked ok. So, no need to the the trick described there with so
>> many
>> disadvantages.
>
> Pointing fail2ban at any access of wp-login.php?
>
> Apart from expecting that people can get their own password right
> within a few tries, I am not sure what the 'so many disadvantages' are.
I have tested the fail2ban idea as set out in the WIKI article[1], but
did not have any luck with it. What Rodrigo actually pointed out is that
there is a plugin for WP called "wp fail2ban", which actually works
rather well. The "many disadvantages" he refered to is also not
completely clear to me, but I can verify that I did *not* manage to make
the WIKI recipe work for me (it doesn't mean that it's broken advice,
just that I did not hack enough at it to make it work properly, so the
failure should be seen as mine).
I like the WP Fail2ban plugin[2] mentioned by Rodrigo (I use it on at
least 9 sites I administer), and it is actually a bit of a pity that the
logging facility that it provides isn't part of the standard Wordpress
framework. In short, what it does is to inject log entries via syslog
into the /var/log/auth.log that looks like the following:
|Oct 17 20:59:54 foobar wordpress(
www.example.com)[1234]: Authentication
failure for admin from 192.168.0.1 Oct 17 21:00:00 foobar
wordpress(
www.example.com)[2345]: Accepted password for admin from
192.168.0.1 |
Very simple, it does not do anything more than that. It leaves the
blocking maintenance features to fail2ban. Quite handily, it comes with
a ready-made filter file (a file called wordpress.conf, search for it in
the plugin folder under wp-content) that you can copy to your
"/etc/fail2ban/filter.d" folder, and refer to in your jail file with
something akin to this:
---start---
[wordpress]
enabled = true
port = http
filter = wordpress
logpath = /var/log/auth.log
maxretry = 10
---end---
There is one issue with this plug-in: last update was 11 months ago, and
the last confirmed WP version it was officially tested against was
4.0.8. Still, I can confirm that it still works absolutely fine with my
WP 4.3.1 installs, and at least two other people also reported that it
does so for them too. A plus about this plugin is its simplicity, which
thankfully makes the PHP code is quite clear to read and understand
(even by myself whom cannot claim any real PHP proficiency).
>
> If you are in control of all of the WordPress setups, fine, remember
> to install a plugin on them all and hope the author(s) keep it up to
> date.
Yes, this is always a concern with third-party plugins. In the not too
distant past I had to retire useful plugins for exactly this reason.
>
> If you're not, trying to keep track of who's (un)installed it and who
> hasn't is a never-ending source of fun.
Quite! :-)
[1] Wordpress WIKI article:
https://tools.bitfolk.com/wiki/WordPress_setup
[2] WP Fail2ban:
https://wordpress.org/plugins/wp-fail2ban/
--
Regards,
Jan Henkins
