2 minutes reading time (317 words)

Configure fail2ban custom filter and jail to block WordPress brute force attacks

Create a custom fail2ban filter and jail to prevent  brute force login attacks on WordPress wp-login.php, xmlrpc.php, wlwmanifest.xml

Brute force attacks in Nginx logs

In this example, I've noticed three request patterns in the Nginx access and error logs. Each of these patterns looks like malicious activity trying to login to the WordPress admin panel or get more information about the website. From the timing and repeated attempts, the activity looks like a bot or script being run rather than a person trying to browse the site.

Attempts on WordPress wp-login.php

GET /wp-login.php HTTP/1.1
GET /wordpress/wp-login.php HTTP/1.1
GET /blog/wp-login.php HTTP/1.1

Attempts on WordPress xmlrpc.php

GET /xmlrpc.php HTTP/1.1
GET //xmlrpc.php?rsd HTTP/1.1

Attempts on WordPress wlwmanifest.xml

GET //wp-includes/wlwmanifest.xml HTTP/1.1
GET //blog/wp-includes/wlwmanifest.xml HTTP/1.1
GET //wordpress/wp-includes/wlwmanifest.xml HTTP/1.1

Create fail2ban filter for WordPress login attempts

nano /etc/fail2ban/filter.d/wordpress.conf

[Definition]
failregex = ^<HOST> .* "(GET|POST) /wp-login.php
            ^<HOST> .* "(GET|POST) /xmlrpc.php
            ^<HOST> .* "(GET|POST)*/wlwmanifest.xml
ignoreregex = 

Create fail2ban jail for WordPress

Edit jail.local and add the following to the end of the file

nano /etc/fail2ban/jail.local

[wordpress]
enabled = true
port    = http,https
filter  = wordpress
logpath = /var/log/nginx/*access*log
        /var/log/nginx/*error*log
maxretry = 3 

Restart fail2ban

service fail2ban restart

Test the Fail2ban filter using fail2ban-regex

We can check if the Fail2ban filter definition matches the pattern in the Nginx logs using fail2ban-regex

fail2ban-regex /var/log/nginx/access.log /etc/fail2ban/filter.d/wordpress.conf

In this example, there are 162 matches in the Nginx access log. If there are zero matches, the filter regex isn't right or, if there are too many matches, the regex isn't finding the correct string in the logs and will generate too many false positives.

Check fail2ban status

fail2ban-client status

Check wordpress jail status

fail2ban-client status wordpress

Related Posts

 

Comments

No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Thursday, 01 June 2023
You can help support this website by buying me a coffee!
Buy Me A Coffee