7 Jun
2013
7 Jun
'13
12:28 p.m.
Stuart Swindells said:
After working out what was going on and adding to the
fail2ban rules,
around 400 different IPs and around 2000 requests to wp-login.php were
blocked over the course of a couple of hours although it's died down
since.
If it helps anyone, my fail2ban filter:
[Definition]
failregex = [[]client <HOST>[]] WP login failed.*
[[]client <HOST>[]] client denied.*wp-login.php
The first line requires a change to your Wordpress theme to log failed
logins, described here:
http://blog.somsip.com/2012/02/using-fail2ban-to-protect-wordpress/
The one I use is simpler and has the advantage of not needing any
changes to any themes:
# Fail2Ban configuration file
[Definition]
failregex = <HOST>.*] "POST /wp-login.php
ignoreregex =
.. i.e. *any* login attempt, successful or otherwise..
[apache-wp-login]
enabled = true
port = http,https
action = %(action_mwl)s
filter = apache-wp-login
logpath = /home/*/logs/*access.log
maxretry = 5
.. so maxretry needs to be larger than one :)
Having it set to five allows four goes, whether they're failures or
logging into different sites, within a few minutes without being banned
and works for me. I've been using the Limit Login Attempts plugin on
individual sites, so four failures is what people are used to.
(If you have apache logs elsewhere, logpath obviously needs to reflect
that!)
While I'm talking about WP plugins and security, the script I use to set
them up WordPress has..
# try to stop anyone installing the sodding Better WP Security plugin
# by making an impossible to access directory with that name
mkdir wp-content/plugins/better-wp-security
chmod -rwx wp-content/plugins/better-wp-security
# and it looks like WordFence is just as bad
mkdir wp-content/plugins/wordfence
chmod -rwx wp-content/plugins/wordfence
.. towards the end to stop installation of two of them which, if
installed by someone who doesn't know what they are doing, will test
your ability to edit MySQL databases by hand in order to get the sites
working again.
Ian