Last Updated: June 08, 2016
·
663
· drrobotnik

fail2ban block log-in attempts wp-auth

WP-Auth Fail2ban

If you have control over your web server you can block log-in attempts based on frequency with fail2ban.

Create wp-auth.conf

On Ubuntu, navigate to /etc/fail2ban/filter.d/ and create the wp-auth.conf file. Next edit the file with your favorite command line editor (pip,vi, etc...).

[Definition]
failregex = ^<HOST> .* "POST \/(wp\/||wordpress\/)wp-login.php
ignoreregex =

Save this file and quit.

Next you'll need to determine where you access log files are. I usually find then somewhere around /var/log/nginx/. This could be different based on many scenarios, so it's important to find the correct patch and not simply copy paste the lines below.

Navigate to /etc/fail2ban/ and edit jail.local. adding the following lines.

[wp-auth]
enabled = true
filter = wp-auth
action = iptables-multiport[name=NoAuthFailures, port="http,https"]
logpath = /var/log/nginx/*access*.log*
bantime = 1200
maxretry = 2

The important lines are logpath, bantime, and maxretry. They're all pretty self explanatory, but you'll insert your log path you found above. Make sure to notice in my example that I have *access*.log*. This is regex that basically says any filethat has the word access with the .log extension. This will grab all the following variations for example:
access.log
access.log.1
access.log.2.gz
site2.access.log
site2.access.log.1
site2.access.log.2.gz

Save this file and quit.

You can test your new filter against your current logs with the following command (replace the log path with your own):

fail2ban-regex /var/log/nginx/access.log.1 /etc/fail2ban/filter.d/wp-auth.conf

Down toward the bottom of the output you should see something that looks like:

Lines: 750 lines, 0 ignored, 10 matched, 740 missed

Based on my example we have 10 matches that would be effected by your new filter.

Once you're happy with the results and know it's working you'll need to apply your new filter by restarting the fail2ban service.

service fail2ban restart

You can monitor your fail2ban logs via the following path:

tail -f /var/log/fail2ban.log

Monitor bad actors being banned in realtime. Enjoy.