7 Jun
2013
7 Jun
'13
6:29 a.m.
My logwatch reports have shown apache rejecting and then fail2ban blocking
a lot of these inappropriate attempts. I don't use WP though, but there
does seem to be a recent increase in this sort of attack
On 7 June 2013 01:19, Stuart Swindells <bitfolk(a)lumo.me.uk> wrote:
On 06/06/2013 21:52, Ian wrote:
--
Keith Williams
Keith's Place www.keiths-place.co.uk
Tailor Made English www.tmenglish.org
West Norfolk RSPCA www.westnorfolkrspca.org.uk
I've got a Fail2Ban jail set up to ban anyone
accessing any
wp-login.php more than five times. It's just triggered a dozen times
in a minute - there's another major burst of hack attempts going on.
Especially if you or any clients have an account called 'admin' on a
WP site - not a good idea, as it's the WP default and thus the primary
one hackers go for - you want to watch out.
Ian
(Another eight triggers while writing this...)
I meant to post to the list about this too; I got hit on Tuesday to the
extent that my VPS OOMed.
After working out what was going on and adding to the fail2ban rules,
around 400 different IPs and around 2000 requests to wp-login.php were
blocked over the course of a couple of hours although it's died down since.
If it helps anyone, my fail2ban filter:
[Definition]
failregex = [[]client <HOST>[]] WP login failed.*
[[]client <HOST>[]] client denied.*wp-login.php
The first line requires a change to your Wordpress theme to log failed
logins, described here:
http://blog.somsip.com/2012/**02/using-fail2ban-to-protect-**wordpress/<…
The second one comes from adding rules to .htaccess to deny requests for
wp-login.php and wp-admin to anything outside of the IP ranges I use. The
second rule should be sufficient; I added the first one a while ago and
didn't see any harm in leaving it.
Stuart
______________________________**_________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/**mailman/listinfo/users<https://lists.bitfolk…