On 06/06/2013 21:52, Ian wrote:I meant to post to the list about this too; I got hit on Tuesday to the extent that my VPS OOMed.
I've got a Fail2Ban jail set up to ban anyone accessing any
wp-login.php more than five times. It's just triggered a dozen times
in a minute - there's another major burst of hack attempts going on.
Especially if you or any clients have an account called 'admin' on a
WP site - not a good idea, as it's the WP default and thus the primary
one hackers go for - you want to watch out.
Ian
(Another eight triggers while writing this...)
After working out what was going on and adding to the fail2ban rules, around 400 different IPs and around 2000 requests to wp-login.php were blocked over the course of a couple of hours although it's died down since.
If it helps anyone, my fail2ban filter:
[Definition]
failregex = [[]client <HOST>[]] WP login failed.*
[[]client <HOST>[]] client denied.*wp-login.php
The first line requires a change to your Wordpress theme to log failed logins, described here:
http://blog.somsip.com/2012/02/using-fail2ban-to-protect-wordpress/
The second one comes from adding rules to .htaccess to deny requests for wp-login.php and wp-admin to anything outside of the IP ranges I use. The second rule should be sufficient; I added the first one a while ago and didn't see any harm in leaving it.
Stuart
_______________________________________________
users mailing list
users@lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users