Koozali.org: home of the SME Server

Obsolete Releases => SME 9.x Contribs => Topic started by: holck on August 11, 2018, 09:43:18 AM

Title: Wordpress & Fail2Ban
Post by: holck on August 11, 2018, 09:43:18 AM

If you run wordpress and want to use fail2ban to block login-attacks, it's important to change the standard backend used by the wordpress jail.

I used this entry in /etc/fail2ban/jail.conf:

Code: [Select]

[wordpress-soft]
enabled = true
filter = wordpress-soft
logpath = /var/log/messages
action = smeserver-iptables[port="80,443",protocol=tcp,bantime=1800]

The filter worked, but attacks were not discovered and blocked. I had hundreds of attacks, logged in /var/log/messages, but not discovered by fail2ban.

Now, I've changed the backend to polling, and all seems fine. New snip from /etc/fail2band/jail.conf:

Code: [Select]

[wordpress-hard]
enabled = true
filter = wordpress-hard
logpath = /var/log/messages
maxretry = 3
action = smeserver-iptables[port="80,443",protocol=tcp,bantime=1800]
backend = polling

[wordpress-soft]
enabled  = true
filter = wordpress-soft
logpath = /var/log/messages
action = smeserver-iptables[port="80,443",protocol=tcp,bantime=1800]
backend = polling

Title: Re: Wordpress & Fail2Ban
Post by: ReetP on August 11, 2018, 12:24:17 PM

Can you add that to the wiki?

And a link on the fail2ban page to the Wordpress one?

Title: Re: Wordpress & Fail2Ban
Post by: holck on October 17, 2018, 09:04:27 PM

Quote from: holck on August 11, 2018, 09:43:18 AM

New snip from /etc/fail2band/jail.conf:

The correct file name is /etc/fail2ban/jail.conf

Title: Re: Wordpress & Fail2Ban
Post by: mophilly on March 21, 2019, 09:59:28 PM

Quote from: ReetP on August 11, 2018, 12:24:17 PM

Can you add that to the wiki?

And a link on the fail2ban page to the Wordpress one?

I updated both the Fail2Ban page and the WordPress page to reference this thread. Each has a link to the other.

Title: Re: Wordpress & Fail2Ban
Post by: ReetP on March 22, 2019, 02:35:00 AM

Cool and thanks!!

Title: Re: Wordpress & Fail2Ban
Post by: Jean-Philippe Pialasse on March 22, 2019, 02:52:50 AM

personally I use this for a while with success :


/etc/e-smith/templates-custom/etc/fail2ban/jail.conf/99wordpress

Code: [Select]

[wordpress]
enabled = true
filter = wordpress
logpath = /var/log/messages
port = http,https
findtime = 3600
maxretry = 1
bantime = 3600
action   = smeserver-iptables[port="80,443",protocol=tcp,bantime=3600]
           smeserver-sendmail[name="Wordpress (auth)",dest=root]

/etc/fail2ban/filter.d/wordpress.conf

Code: [Select]

# Fail2Ban configuration file
#
# Author: Charles Lecklider
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf


[Definition]

_daemon = wordpress

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT

failregex = ^%(__prefix_line)sAuthentication failure for .* from <HOST>$
            ^%(__prefix_line)sAuthentication attempt for unknown user .* from <HOST>$
            ^%(__prefix_line)sBlocked user enumeration attempt from <HOST>$
            ^%(__prefix_line)sBlocked authentication attempt for .* from <HOST>$
            ^%(__prefix_line)sPingback error .* generated from <HOST>$
            ^%(__prefix_line)sSpam comment \d+ from <HOST>$
            ^%(__prefix_line)sXML-RPC authentication attempt for unknown user .* from <HOST>$
            ^%(__prefix_line)sXML-RPC multicall authentication failure from <HOST>$
#failregex = ^.* wordpress .*: Authentication failure for .* from <HOST>$
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =






On top of that I have added the following to most sensitive wordpress with only few users:

.htaccess

Code: [Select]


<IfModule mod_rewrite.c>
# 403 error for any unauthorized ip to the admin pages
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
# first block to allow #
RewriteCond %{REMOTE_ADDR} !^145\.99\.2.+\..+$
# another block
RewriteCond %{REMOTE_ADDR} !^100\.100\.135\.94$
RewriteCond %{REMOTE_ADDR} !^100\.102\..{1,3}\..{1,3}$

RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

# BEGIN protect xmlrpc.php
<files xmlrpc.php>
order deny,allow
deny from all
# wordpress com because of publicize.
allow from 192.0.64.0/18
# my ISP ips
allow from 200.48.208.0/20
</files>
# END protect xmlrpc.php


just add this on top of the wordpress htaccess file, you can add as many authorized ip you need.

Title: Re: Wordpress & Fail2Ban
Post by: Jean-Philippe Pialasse on April 10, 2019, 05:27:50 AM

I have added your solution to fail2ban, also added a filter for xmlrpc

can you please test and report here : https://bugs.contribs.org/show_bug.cgi?id=9709

this is highly tweakable

please do not try on your production server !

Title: Re: Wordpress & Fail2Ban
Post by: Jean-Philippe Pialasse on July 19, 2019, 04:54:06 AM

update of wiki

https://wiki.contribs.org/Wordpress#Fail2Ban