We have talked with the needed basics though iptables Basics : Chapter 1, Creating root user with sudo privilege on Fail2Ban iptables Basics : Chapter 2. We talked about OSI model and of course easy article on how and what steps, works to perform on a blank new server. Chapter 3 Describes Configuring Fail2Ban With WordPress to Give Ultimate Protection. Thus We Secured OSI Model’s All Layers Which are Within Our Reach.
iptables Basics Chapter 3 : Prerequisites
You should read the above three iptables related articles and configure your server. You should not mix up following tutorials from this and that website on your server. We are describing method for Ubuntu server 16.04 LTS running Nginx latest version with PHP7.0-FPM. A running WordPress website is obviously needed for this guide. Other PHP-MySQL web application will work in the same way. We are assuming that /usr/share/nginx/html/ is the path of WordPress installation.
Above image is best seen on full size by clicking here.
---
iptables Basics : Chapter 3, Configuring Fail2Ban With WordPress
First install a WordPress Plugin from WordPress admin named WP Fail2Ban Redux, details of which can seen here :
1 | https://wordpress.org/plugins/wp-fail2ban-redux/ |
it is a fork of popular plugin WP Fail2Ban. It controls Failed XML-RPC authentication attempts, successful authentication attempts, failed wp-login.php authentication attempts, pingback requests, blocked user enumeration attempts, authentication attempts for blocked usernames and spammed comments. It is for PHP7.0. Install and activate the plugin first.
From SSH screen, cd to where your WordPress installation’s plugins directory is located, like :
1 | /usr/share/nginx/html/wp-content/plugins |
cd to wp-fail2ban-redux directory. If you do a ls, you will see these directories :
1 | classes config languages README.md readme.txt wp-fail2ban-redux.php |
If you cd to config/filters of that wp-fail2ban-redux directory and do a ls, you’ll see 2 files :
1 | wordpress-hard.conf wordpress-soft.conf |
Now, cd to /etc/fail2ban/filter.d directory and do a ls. There will be lot of files for SSH, PAM, Nginx etc. Copy both files to that directory from wp-fail2ban-redux directory :
1 2 | cp /usr/share/nginx/html/wp-content/plugins/wp-fail2ban-redux/config/filters/wordpress-hard.conf /etc/fail2ban/filter.d cp /usr/share/nginx/html/wp-content/plugins/wp-fail2ban-redux/config/filters/wordpress-soft.conf /etc/fail2ban/filter.d |
In that WordPress installation’s plugins wp-fail2ban-redux directory’s wp-fail2ban-redux/config/jail location, there is another file named wordpress.conf file :
1 2 3 | cd /usr/share/nginx/html/wp-content/plugins/wp-fail2ban-redux/config/jail ls cat wordpress.conf |
highlight and copy only this part from the SSH output :
1 2 3 4 5 6 | [wordpress-hard] enabled = true filter = wordpress-hard logpath = /var/log/auth.log maxretry = 2 port = http,https |
Now open jail.local from /etc/fail2ban/jail.local location and add that stanza at the bottom :
1 2 3 4 5 6 7 8 | nano /etc/fail2ban/jail.local # paste and save # restart fail2bain sudo service fail2ban restart # check fail2ban service sudo service fail2ban status # check whether we did correct or not sudo fail2ban-client status wordpress-hard |
You will get output like :
1 2 3 4 5 6 7 8 9 | Status for the jail: wordpress-hard |- Filter | |- Currently failed:0 | |- Total failed: 40 | `- File list: /var/log/auth.log `- Actions |- Currently banned:1 |- Total banned: 1 `- Banned IP list: 91.200.12.155 |
It is an optional step. Open logrotate.conf :
1 | sudo nano /etc/logrotate.conf |
Add this stanza :
1 2 3 4 5 | /var/log/auth.log { size 30k create 0600 root root rotate 4 } |
It is to set the maximum size of the file, permissions of the file, and the number of weeks (4 in above example) that file will not become /var/log/auth.log.1. It is auto cleaning system in GNU/Linux preserving the record in different file. You can cat on these files :
1 | cat /var/log/auth.log |
I got something like this :
1 2 3 4 5 6 7 8 9 | Sep 15 00:06:03 thecustomizewindows wp(thecustomizewindows.com)[3431]: Authentication failure for abhishek from 91.200.12.155 Sep 15 00:06:05 thecustomizewindows wp(thecustomizewindows.com)[3411]: Authentication failure for abhishek from 91.200.12.155 Sep 15 00:06:06 thecustomizewindows wp(thecustomizewindows.com)[3411]: Authentication failure for abhishek from 91.200.12.155 Sep 15 00:06:07 thecustomizewindows wp(thecustomizewindows.com)[3431]: Authentication failure for abhishek from 91.200.12.155 Sep 15 00:06:09 thecustomizewindows wp(thecustomizewindows.com)[3411]: Authentication failure for abhishek from 91.200.12.155 Sep 15 00:06:10 thecustomizewindows wp(thecustomizewindows.com)[3411]: Authentication attempt for unknown user Articles from 91.200.12.155 Sep 15 00:06:13 thecustomizewindows wp(thecustomizewindows.com)[3431]: Authentication attempt for unknown user Articles from 91.200.12.155 Sep 15 00:06:14 thecustomizewindows wp(thecustomizewindows.com)[3411]: Authentication attempt for unknown user Articles from 91.200.12.155 Sep 15 00:06:16 thecustomizewindows wp(thecustomizewindows.com)[3431]: Authentication attempt for unknown user Articles from 91.200.12.155 |
Like we say not to allow root user to do SSH but a custom username with sudo privilege, for WordPress you should not use the publicly available name as username to login. I can drop that IP :
1 | iptables -D INPUT -s 91.200.12.155 -j DROP |
If I run a cat on cat /var/log/fail2ban.log file :
1 | cat /var/log/fail2ban.log |
I will find :
1 2 3 4 5 6 7 | 2016-09-15 00:08:49,614 fail2ban.jail [3667]: INFO Creating new jail 'wordpress-hard' 2016-09-15 00:08:49,614 fail2ban.jail [3667]: INFO Jail 'wordpress-hard' uses poller ... 2016-09-15 00:08:49,727 fail2ban.actions [3667]: NOTICE [sshd] Ban 109.61.246.109 2016-09-15 00:08:49,811 fail2ban.jail [3667]: INFO Jail 'wordpress-hard' started 2016-09-15 00:38:06,690 fail2ban.filter [3980]: INFO [wordpress-hard] Found 91.200.12.155 2016-09-15 00:38:07,484 fail2ban.actions [3980]: NOTICE [wordpress-hard] 91.200.12.155 already banned |
There is nothing to explain. If you add this to Nginx server block :
1 2 3 4 5 | location ~ ^/(wp-admin|wp-login\.php) { allow 127.0.0.1; allow your.server.IP.address; deny all; } |
You can make it a file named wp-login-ban.conf. Then call the file by including on Nginx server block :
1 | include /path/to/wp-login-ban.conf |
Perform nginx -t and do service nginx restart.
These problems with attack on wp-login.php will get reduced. We never use WordPress backend 24*7 unlike official WordPress website. Before writing posts and doing other works i.e. logging to WordPress, you can comment out that :
1 | # include /path/to/wp-login-ban.conf |
Perform nginx -t and do service nginx restart. Previously we talked about how Nginx, PHP5-FPM behaves on WordPress XML-RPC attack fakes PHP-FPM errors and how to fix. You can ban those IP from iptables too.
