4 Oct
2015
4 Oct
'15
11:05 p.m.
Hello Ian and all
On 04/10/15 21:09, Ian wrote:
Rodrigo Campos said:
I have tested the fail2ban idea as set out in the WIKI article[1], but
did not have any luck with it. What Rodrigo actually pointed out is that
there is a plugin for WP called "wp fail2ban", which actually works
rather well. The "many disadvantages" he refered to is also not
completely clear to me, but I can verify that I did *not* manage to make
the WIKI recipe work for me (it doesn't mean that it's broken advice,
just that I did not hack enough at it to make it work properly, so the
failure should be seen as mine).
I like the WP Fail2ban plugin[2] mentioned by Rodrigo (I use it on at
least 9 sites I administer), and it is actually a bit of a pity that the
logging facility that it provides isn't part of the standard Wordpress
framework. In short, what it does is to inject log entries via syslog
into the /var/log/auth.log that looks like the following:
|Oct 17 20:59:54 foobar wordpress(www.example.com)[1234]: Authentication
failure for admin from 192.168.0.1 Oct 17 21:00:00 foobar
wordpress(www.example.com)[2345]: Accepted password for admin from
192.168.0.1 |
Very simple, it does not do anything more than that. It leaves the
blocking maintenance features to fail2ban. Quite handily, it comes with
a ready-made filter file (a file called wordpress.conf, search for it in
the plugin folder under wp-content) that you can copy to your
"/etc/fail2ban/filter.d" folder, and refer to in your jail file with
something akin to this:
---start---
[wordpress]
enabled = true
port = http
filter = wordpress
logpath = /var/log/auth.log
maxretry = 10
---end---
There is one issue with this plug-in: last update was 11 months ago, and
the last confirmed WP version it was officially tested against was
4.0.8. Still, I can confirm that it still works absolutely fine with my
WP 4.3.1 installs, and at least two other people also reported that it
does so for them too. A plus about this plugin is its simplicity, which
thankfully makes the PHP code is quite clear to read and understand
(even by myself whom cannot claim any real PHP proficiency).
wp-fail2ban can be used with IPv4, IPv6 and
doesn't take into account
the login
that worked ok. So, no need to the the trick described there with so
many
disadvantages.
Pointing fail2ban at any access of wp-login.php?
Apart from expecting that people can get their own password right
within a few tries, I am not sure what the 'so many disadvantages' are.
If you are in control of all of the WordPress setups, fine, remember
to install a plugin on them all and hope the author(s) keep it up to
date.
Yes, this is always a concern with third-party plugins. In the not too
distant past I had to retire useful plugins for exactly this reason.
If you're not, trying to keep track of who's (un)installed it and who
hasn't is a never-ending source of fun.
Quite! :-)
[1] Wordpress WIKI article: https://tools.bitfolk.com/wiki/WordPress_setup
[2] WP Fail2ban: https://wordpress.org/plugins/wp-fail2ban/
--
Regards,
Jan Henkins