Using Fail2ban on wordpress wp-login.php and xmlrpc.php

A fair few customer of ours use wordpress and occasionally notice that there are people hammering on a few URLs

This can cause high load, slow websites and a number of issues, espoecuially when you have more than a single IP hammering away at that.

The solution is simple, and it involves using fail2ban. Here are some simple fail2ban recipes that will stop most of that in its tracks.

Create a file /etc/fail2ban/filter.d/wordpress.conf with the following contents

[Definition]
failregex = ^<HOST> .* "POST .*wp-login.php
            ^<HOST> .* "POST .*xmlrpc.php
ignoreregex =

You can add as many regex in there as you want on new lines, but these will cover that for now. It opays to check the apache logs to make sure this regex is going to work on your server, and the fail2ban logs after applying to make sure its banning them

Create the file /etc/fail2ban/jail.d/wordpress.conf file add the following rules into that

[wordpress]
enabled = true
port = http,https
filter = wordpress
action = iptables-multiport[name=wordpress, port="http,https", protocol=tcp]
logpath = /var/log/httpd/access_log
          /var/log/apache2/access*log
          /var/log/virtualmin/*log
maxretry = 3
findtime = 120

The log paths i have used in here cover a few places, likely you will need to remove ones you dont need or have. The first log path is redhat/centos based, the next is debian, and the third is for those with virtualmin.
Other potential log paths may be something like the following
eg
Plesk: /var/www/vhost/*/statistics/logs/*log or /var/www/vhost/*/system/logs/*log
CPanel: /home/*/log/*log

Make sure you keep an eye on the fail2ban log, and make sure that the ban is happening. It should look like this

2016-11-01 18:40:50,672 fail2ban.actions[958]: WARNING [wordpress] Unban
2016-11-01 19:47:53,081 fail2ban.actions[958]: WARNING [wordpress] Ban
2016-11-01 19:54:56,550 fail2ban.actions[958]: WARNING [wordpress] Ban
2016-11-01 19:57:53,747 fail2ban.actions[958]: WARNING [wordpress] Unban
2016-11-01 20:04:57,198 fail2ban.actions[958]: WARNING [wordpress] Unban
2016-11-01 20:33:35,094 fail2ban.actions[958]: WARNING [wordpress] Ban
2016-11-01 20:43:35,755 fail2ban.actions[958]: WARNING [wordpress] Unban
This entry was posted in Rimuhosting, Security and tagged , , . Bookmark the permalink.

Leave a Reply