Fun with fail2ban and WordPress

We run some webservers at work as a part of the services we offer our customers, we’re not a large host by a long shot, but we still get a large amount of brute force attacks against the WordPress installs we run.

I’ve been monitoring the servers and just manually dealing with them using a quick firewall block whenever I’ve seen these in the past, but unfortunately we’ve passed the point of this being a viable solution.

Enter fail2ban.

fail2ban lets you create custom regex rules to match addresses hitting server events within a given time period, and it will then automatically block access to predefined ports via IPTables for a given amount of time.

I did some reading and saw that this could be used against your webserver logs (in our case, apache2), so I set up all logs to also be written to a centralized location.

I’ve been adjusting our rules a little here and there for the past week, and I think I’ve found one that works relatively well, yet doesn’t lock out real users who are doing weird things (it happens, you’d be surprised)

For the fail2ban jail.conf file, I’ve gone with the following

The gist of the…well… gist… is as follows;

  • Enable the rule labeled wordpress
  • If the rule is matched, ban the IP for 900 seconds (15 minutes)
  • The ports to block should be http (80) and https (443)
  • This rule applies to the filter named wordpress.conf
  • The path to the centralized log file
  • The seconds to retain a match
  • The amount of entries within the retained time before the ban is issued

So basically, if your IP matches my regex 5 times within 8 seconds, you get banned for 15 minutes

Next up, our regex config file, located in filter.d/wordpress.conf

Here we start of by including the common config with all the default data in it

I’ve then got a regex block that’s fairly simple (overly simplistic perhaps?), oh and yeah,┬áthis uses the default apache log format common.

Once they were running I started watching the logfile for a while (tail -f /var/log/apache2/other_vhost_access.log | grep wp-login) and I would see 5 hits against wp-login in a row, then nothing, a quick look at the IP tables (iptables -L) would then show the IP addresses that hit the login page listed under the fail2ban-wordpress chain.


Update – 2016-06-28

As the comment from Junior below mentions, this may cause problems for you if you are behind a proxy like CloudFlare.

Luckily, CloudFlare provides the tools to fix that, they have a handy module that translates the IPs for you so that on your server end you always have the legitimate IPs, so if you do use CloudFlare and want that extra layer of brute force protection, you really should have their module running as well.

1 thought on “Fun with fail2ban and WordPress”

  1. A good solution if you are not using any caching, edge, or other networking gear that limits your ability to see these IP addresses clearly. Used with cloudflare or other services, this concept would be banning good users along with bad.

    When all you have is a hammer, everything looks like a nail, right?

Leave a Reply

Your email address will not be published. Required fields are marked *