Configure fail2ban custom filter and jail to block WordPress brute force attacks
Create a custom fail2ban filter and jail to prevent brute force login attacks on WordPress wp-login.php, xmlrpc.php, wlwmanifest.xml
Brute force attacks in Nginx logs
In this example, I've noticed three request patterns in the Nginx access and error logs. Each of these patterns looks like malicious activity trying to login to the WordPress admin panel or get more information about the website. From the timing and repeated attempts, the activity looks like a bot or script being run rather than a person trying to browse the site.
Attempts on WordPress wp-login.php
GET /wp-login.php HTTP/1.1
GET /wordpress/wp-login.php HTTP/1.1
GET /blog/wp-login.php HTTP/1.1
Attempts on WordPress xmlrpc.php
GET /xmlrpc.php HTTP/1.1
GET //xmlrpc.php?rsd HTTP/1.1
Attempts on WordPress wlwmanifest.xml
GET //wp-includes/wlwmanifest.xml HTTP/1.1
GET //blog/wp-includes/wlwmanifest.xml HTTP/1.1
GET //wordpress/wp-includes/wlwmanifest.xml HTTP/1.1
Create fail2ban filter for WordPress login attempts
nano /etc/fail2ban/filter.d/wordpress.conf
[Definition] failregex = ^<HOST> .* "(GET|POST) /wp-login.php ^<HOST> .* "(GET|POST) /xmlrpc.php ^<HOST> .* "(GET|POST)*/wlwmanifest.xml ignoreregex =
Create fail2ban jail for WordPress
Edit jail.local and add the following to the end of the filenano /etc/fail2ban/jail.local
[wordpress] enabled = true port = http,https filter = wordpress logpath = /var/log/nginx/*access*log /var/log/nginx/*error*log maxretry = 3
Restart fail2ban
service fail2ban restart
Test the Fail2ban filter using fail2ban-regex
We can check if the Fail2ban filter definition matches the pattern in the Nginx logs using fail2ban-regex
fail2ban-regex /var/log/nginx/access.log /etc/fail2ban/filter.d/wordpress.conf
In this example, there are 162 matches in the Nginx access log. If there are zero matches, the filter regex isn't right or, if there are too many matches, the regex isn't finding the correct string in the logs and will generate too many false positives.
Check fail2ban status
fail2ban-client status
Check wordpress jail status
fail2ban-client status wordpress
Comments