 |
VOOZH | about |
|
VOOZH | about |
WordPress is a very robust content-management system (CMS) that is free and open source. Because anyone can comment, create an account, and post on WordPress, many malicious actors have created networks of bots and servers that compromise and spam WordPress sites through brute-force attacks. The tool Fail2ban is useful in preventing unauthorized access to both your Droplet and your WordPress site. It notes suspicious or repeated login failures and proactively bans those IPs by modifying firewall rules for your Droplet.
In this guide, we will be using version 0.9.3 of Fail2ban on an Ubuntu 14.04 LAMP server, and integrating it with WordPress by using a spam log plugin.
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
Lives in Portland, OR. Has a cat. Loves reading/writing fiction. Queer feminist.
former DO tech editor publishing articles here with the community, then founded the DO product docs team (https://do.co/docs). to all of my authors: you are incredible. working with you was a gift. love is what makes us great.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Great article, I used this to improve my Wordpress security along with some tips from a blog post I found.
You have excellent tutorials DO crew. Keep up the good work.
Great tutorial, as always. However, I am seeing some strange behavior.
Once I enable the wordpress filter, my ssh filter seems to stop working. After a reboot, the ssh filter is working again but the wordpress filter is not (confirmed with fail2ban-client status).
Both wordpress and ssh continue to log failed attempts in /var/log/auth.log but for some reason fail2ban refuses to work with both at the same time.
Any idea what might be causing this?
Thanks for the tutorial! I have a question though. Can I use this WordPress jail for several WP sites on one server?
Great tutorial. However you shouldn’t need to edit logrotate.conf. On my Ubuntu installation auth.log is already being rotated by the rsyslog script. I don’t know if rotating it twice would cause any issues, but it’s not necessary to add anyway.
I am having the same issue. I believe it is setup correctly. Fail2ban works for nginx-http-auth.
Here are my logs after failed attempts:
Mar 16 06:53:33 server-user wordpress(domain.com.au)[9254]: Authentication failure for test from 168.1.6.52
Mar 16 06:53:36 server-user wordpress(domain.com.au)[9604]: Authentication failure for erh from 168.1.6.52
Mar 16 06:53:40 server-user wordpress(domain.com.au)[9281]: Authentication failure for fgnr from 168.1.6.52
Mar 16 06:53:47 server-user wordpress(domain.com.au)[9254]: Authentication failure for fgnr from 168.1.6.52
I used a VPN so it didnt ignore my IP. Here is my wordpress.conf as provided:
before = common.conf
[Definition]
_daemon = wordpress
failregex = ^%(__prefix_line)sAuthentication failure for .* from <HOST>$
^%(__prefix_line)sBlocked authentication attempt for .* from <HOST>$
^%(__prefix_line)sBlocked user enumeration attempt from <HOST>$
^%(__prefix_line)sPingback requested from <HOST>$
ignoreregex =
And my jail.local setting for wordpress
#WordPress Plugin addition
[wordpress]
enabled = true
port = http,https
filter = wordpress
logpath = /var/log/auth.log
maxretry = 3
Regex debug:
sudo fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/wordpress.conf
Running tests
=============
Use failregex file : /etc/fail2ban/filter.d/wordpress.conf
Use log file : /var/log/auth.log
Results
=======
Failregex: 24 total
|- #) [# of hits] regular expression
| 1) [24] ^\s*(<[^.]+\.[^.]+>)?\s*(?:\S+ )?(?:kernel: \[ *\d+\.\d+\] )?(?:@vserver_\S+ )?(?:(?:\[\d+\])?:\s+[\[\(]?wordpress(?:\(\S+\))?[\]\)]?:?|[\[\(]?wordpress(?:\(\S+\))?[\]\)]?:?(?:\[\d+\])?:?)?\s(?:\[ID \d+ \S+\])?\s*Authentication failure for .* from <HOST>
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [802] MONTH Day Hour:Minute:Second
`-
Lines: 802 lines, 0 ignored, 24 matched, 778 missed
Missed line(s): too many to print. Use --print-all-missed to print all 778 lines
I don’t understand why it’s not working. I am assuming has something to do with regex in the wordpress.conf, but when running debug, it matched it 24 times. For some reason it’s not banning them. Do I need to set a custom action/banaction?
Any ideas?
Thanks
Agree with rsmith4321. I received messages from cron.daily saying that ‘/etc/logrotate.conf:40 duplicate log entry for /var/log/auth.log’ auth.log is rotated by logrotate as defined in /etc/logrotate.d/rsyslog The default configuration is:
{
rotate 7
daily
missingok
notifempty
delaycompress
compress
postrotate
/usr/lib/rsyslog/rsyslog-rotate
endscript
}
Following the instructions, I changed this way:
sudo cp logrotate.d/rsyslog logrotate.d/rsyslog.bak
sudo vi logrotate.d/rsyslog
{
rotate 4
size 30k
daily
missingok
notifempty
delaycompress
compress
postrotate
/usr/lib/rsyslog/rsyslog-rotate
endscript
}
I don’t know the meaning of the suggested line create 0600 root root. The default owner-user/owner-group for auth.log is syslog:adm.
Full documentation for every DigitalOcean product.
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
