New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Fail2Ban WP Auth
SandwichBagGhost
Member
in Help
Anyone got a Fail2Ban WP Auth rule to get rid of bruteforces who try to break into the blog?
I am using Nginx.
Comments
I used it a while back? What do you want to know about it?
Why not just completely disable the login page from the public world? That's much more secure, and would reduce your server load dramatically.
Check this WP plugin: https://wordpress.org/plugins/wp-fail2ban/
I need a custom rule that would tell fail2ban to check for a lot of failed login attempts in logs of Nginx that are going to wp-login.php as it's the login file for everyone.
@charlie: Hopefully it'll work without much hassle and reconfiguration. I currently have a login logger and a BruteProtect plugin.
I do remember it being simple to setup @SandwichBagGhost.
I always set a server level password that's stupid simple. The point isn't complicating, it's preventing the bots from making their successful POST. But fail2ban works wonders as well.
I use Nginx's request limit module to significantly restrict requests to the wp-login.php file. I only have a handful of users on the sites I manage, so I have the limit set to be pretty restrictive. It works well, automatically, and effectively limits brute force attempts. You can also allow bursts before the limiting take effect so it doesn't interfere with regular users' logins.
Although this is based on nginx, my best guess is it will work for Apache too.
I can also tell you this is quite effective and that fail2ban has to work hard :-)
Note that I am using the latest beta of fail2ban, which has persistent bans:
https://github.com/fail2ban/fail2ban/blob/master/ChangeLog
jail.local:
[DEFAULT] maxretry = 3 findtime = 3660 bantime = 259200
[wordpress-auth] enabled = true port = http,https filter = wordpress-auth logpath = /var/log/nginx/access.log
[wordpress-register] enabled = true port = http,https filter = wordpress-register logpath = /var/log/nginx/access.log
[wordpress-xmlrpc] enabled = true port = http,https filter = wordpress-xmlrpc logpath = /var/log/nginx/access.log
Filter wordpress-auth:
[Definition] failregex = ^<HOST> .* "POST /wp-login.php.*HTTP/.*" 401 .*$ ignoreregex =
Filter wordpress-register:
[Definition] failregex = ^<HOST> .* "GET /wp-login.php\?action=register HTTP/.*" .*$ ignoreregex =
Filter wordpress-xmlrpc:
[Definition] failregex = ^<HOST> .*POST .*xmlrpc\.php.* ignoreregex =
I forgot you need this WP patch: https://core.trac.wordpress.org/ticket/25446
@M66B
I am using Nginx and what you posted was right what I was looking for. Thanks.