Koozali.org: home of the SME Server

Wordpress & Fail2Ban

Offline holck

  • ****
  • 317
  • +1/-0
Wordpress & Fail2Ban
« on: August 11, 2018, 09:43:18 AM »
If you run wordpress and want to use fail2ban to block login-attacks, it's important to change the standard backend used by the wordpress jail.

I used this entry in /etc/fail2ban/jail.conf:
Code: [Select]
[wordpress-soft]
enabled = true
filter = wordpress-soft
logpath = /var/log/messages
action = smeserver-iptables[port="80,443",protocol=tcp,bantime=1800]

The filter worked, but attacks were not discovered and blocked. I had hundreds of attacks, logged in /var/log/messages, but not discovered by fail2ban.

Now, I've changed the backend to polling, and all seems fine. New snip from /etc/fail2band/jail.conf:
Code: [Select]
[wordpress-hard]
enabled = true
filter = wordpress-hard
logpath = /var/log/messages
maxretry = 3
action = smeserver-iptables[port="80,443",protocol=tcp,bantime=1800]
backend = polling

[wordpress-soft]
enabled  = true
filter = wordpress-soft
logpath = /var/log/messages
action = smeserver-iptables[port="80,443",protocol=tcp,bantime=1800]
backend = polling

......

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Wordpress & Fail2Ban
« Reply #1 on: August 11, 2018, 12:24:17 PM »
Can you add that to the wiki?

And a link on the fail2ban page to the Wordpress one?
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline holck

  • ****
  • 317
  • +1/-0
Re: Wordpress & Fail2Ban
« Reply #2 on: October 17, 2018, 09:04:27 PM »
New snip from /etc/fail2band/jail.conf:

The correct file name is /etc/fail2ban/jail.conf
......

Offline Mophilly

  • *
  • 384
  • +0/-0
    • Mophilly
Re: Wordpress & Fail2Ban
« Reply #3 on: March 21, 2019, 09:59:28 PM »
Can you add that to the wiki?

And a link on the fail2ban page to the Wordpress one?

I updated both the Fail2Ban page and the WordPress page to reference this thread. Each has a link to the other.
- Mark

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Wordpress & Fail2Ban
« Reply #4 on: March 22, 2019, 02:35:00 AM »
Cool and thanks!!
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Jean-Philippe Pialasse

  • *
  • 2,747
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Wordpress & Fail2Ban
« Reply #5 on: March 22, 2019, 02:52:50 AM »
personally I use this for a while with success :


/etc/e-smith/templates-custom/etc/fail2ban/jail.conf/99wordpress
Code: [Select]
[wordpress]
enabled = true
filter = wordpress
logpath = /var/log/messages
port = http,https
findtime = 3600
maxretry = 1
bantime = 3600
action   = smeserver-iptables[port="80,443",protocol=tcp,bantime=3600]
           smeserver-sendmail[name="Wordpress (auth)",dest=root]


/etc/fail2ban/filter.d/wordpress.conf
Code: [Select]
# Fail2Ban configuration file
#
# Author: Charles Lecklider
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf


[Definition]

_daemon = wordpress

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT

failregex = ^%(__prefix_line)sAuthentication failure for .* from <HOST>$
            ^%(__prefix_line)sAuthentication attempt for unknown user .* from <HOST>$
            ^%(__prefix_line)sBlocked user enumeration attempt from <HOST>$
            ^%(__prefix_line)sBlocked authentication attempt for .* from <HOST>$
            ^%(__prefix_line)sPingback error .* generated from <HOST>$
            ^%(__prefix_line)sSpam comment \d+ from <HOST>$
            ^%(__prefix_line)sXML-RPC authentication attempt for unknown user .* from <HOST>$
            ^%(__prefix_line)sXML-RPC multicall authentication failure from <HOST>$
#failregex = ^.* wordpress .*: Authentication failure for .* from <HOST>$
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =






On top of that I have added the following to most sensitive wordpress with only few users:

.htaccess
Code: [Select]

<IfModule mod_rewrite.c>
# 403 error for any unauthorized ip to the admin pages
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
# first block to allow #
RewriteCond %{REMOTE_ADDR} !^145\.99\.2.+\..+$
# another block
RewriteCond %{REMOTE_ADDR} !^100\.100\.135\.94$
RewriteCond %{REMOTE_ADDR} !^100\.102\..{1,3}\..{1,3}$

RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

# BEGIN protect xmlrpc.php
<files xmlrpc.php>
order deny,allow
deny from all
# wordpress com because of publicize.
allow from 192.0.64.0/18
# my ISP ips
allow from 200.48.208.0/20
</files>
# END protect xmlrpc.php


just add this on top of the wordpress htaccess file, you can add as many authorized ip you need.
« Last Edit: March 22, 2019, 02:54:40 AM by Jean-Philippe Pialasse »

Offline Jean-Philippe Pialasse

  • *
  • 2,747
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Wordpress & Fail2Ban
« Reply #6 on: April 10, 2019, 05:27:50 AM »
I have added your solution to fail2ban, also added a filter for xmlrpc

can you please test and report here : https://bugs.contribs.org/show_bug.cgi?id=9709

this is highly tweakable

please do not try on your production server !

Offline Jean-Philippe Pialasse

  • *
  • 2,747
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Wordpress & Fail2Ban
« Reply #7 on: July 19, 2019, 04:54:06 AM »