{"id":135,"date":"2015-09-22T20:41:35","date_gmt":"2015-09-22T20:41:35","guid":{"rendered":"http:\/\/www.ilovesecure.com\/?p=135"},"modified":"2018-10-05T18:54:15","modified_gmt":"2018-10-05T18:54:15","slug":"protect-wordpress-login-with-fail2ban","status":"publish","type":"post","link":"https:\/\/www.ilovesecure.com\/index.php\/2015\/09\/22\/protect-wordpress-login-with-fail2ban\/","title":{"rendered":"Protect WordPress Login with Fail2Ban"},"content":{"rendered":"<p>Brutal force login is one of the common attack to your WordPress.<br \/>\nWe want to block people after the 3rd wrong login, to be correct we will block any IP from where we receive 3 failed login attempts in a short time.<br \/>\nLet&#8217;s see how to do it:<\/p>\n<h2>Prerequisite:<\/h2>\n<ul>\n<li>your WordPress is installed on a Linux box<\/li>\n<li>you are the administrator<\/li>\n<li>you have installed Fail2Ban following the guide <a href=\"http:\/\/www.ilovesecure.com\/index.php\/2015\/09\/03\/protect-ssh-login-of-your-linux-server-with-fail2ban\/\">Protect SSH login with fail2ban<\/a><\/li>\n<\/ul>\n<h2>How fail2ban works<\/h2>\n<p>Fail2ban is service monitoring log files for specific events, and triggering specific commands when a defined amount of events happen in a defined amount of time.<br \/>\nFirst of all we need a log file where the events we want to monitor are logged in.<br \/>\nThere are 2 possible choices: we can use the apache https log, where there is a line every time the login page is requested, and we can assume if an IP is calling many times the login page is because he is trying to login many times. This assumption is not very precise, it is a sort of proxy of what we want to monitor and can create false positive. The second choice is to use a specific plugin in charge of writing in a log file evry time thee is a failed login attempt. This is more accurate tracking of the even &#8220;failed login&#8221;.<br \/>\nWe chose &#8220;WP fail2ban&#8221; plugin, you can find a detailed description in the\u00a0<a href=\"https:\/\/wordpress.org\/plugins\/wp-fail2ban\/\" target=\"_blank\" rel=\"noopener\">WP Fail2ban<\/a> page.<br \/>\n1. Install WP Fail2ban plugin from your dashboard<br \/>\n2. Activate your plugin<br \/>\nfrom this moment all your failed login are logged with the details regarding date, time, ip, etc. In our case (centos 6.7) they are logged in \/var\/log\/messages<\/p>\n<h2>Configure fail2ban to intercept failed login<\/h2>\n<p>Create in \/etc\/fail2ban\/filters.d a config file called wordpress.conf<\/p>\n<div class=\"linux-command\">vi \/etc\/fail2ban\/filters.d\/wordpress.conf<\/div>\n<p>with this content:<\/p>\n<div class=\"linux-command\"># Fail2Ban configuration file<br \/>\n#<br \/>\n# Author: Charles Lecklider<br \/>\n#[INCLUDES]# Read common prefixes. If any customizations available &#8212; read them from<br \/>\n# common.local<br \/>\nbefore = common.conf[Definition]_daemon = wordpress# Option: failregex<br \/>\n# Notes.: regex to match the password failures messages in the logfile. The<br \/>\n# host must be matched by a group named &#8220;host&#8221;. The tag &#8220;&#8221; can<br \/>\n# be used for standard IP\/hostname matching and is only an alias for<br \/>\n# (?:::f{4,6}:)?(?P[\\w\\-.^_]+)<br \/>\n# Values: TEXT<br \/>\n#<br \/>\nfailregex = ^%(__prefix_line)sAuthentication failure for .* from $<br \/>\n^%(__prefix_line)sBlocked authentication attempt for .* from $<br \/>\n^%(__prefix_line)sBlocked user enumeration attempt from $<br \/>\n^%(__prefix_line)sPingback requested from $# Option: ignoreregex<br \/>\n# Notes.: regex to ignore. If this regex matches, the line is ignored.<br \/>\n# Values: TEXT<br \/>\n#<br \/>\nignoreregex =<\/p>\n<\/div>\n<p>If you prefer you can find this file in the plugin directory and you can directly move into \/etc\/fail2ban\/filters.d<br \/>\nAfter you create this filter, edit the fail2ban configuration file<\/p>\n<div class=\"linux-command\">#&gt; vi \/etc\/fail2ban\/jail.conf<\/div>\n<p>and add at the end of the file these lines<\/p>\n<div class=\"linux-command\">[wordpress-ddos]<br \/>\nenabled = true<br \/>\nport = http,https<br \/>\nfilter = wordpress<br \/>\nlogpath = \/var\/log\/messages<\/div>\n<p>4: restart fail2ban with<\/p>\n<div class=\"linux-command\">#&gt; service fail2ban restart<\/div>\n<p>Your protection is active<\/p>\n<h2>How to test it:<\/h2>\n<p>&#8211; write a wrong password during login in WP. Then check if in \/var\/log\/messages you see a log about the failed login. This is the confirmation the new plugin is working<br \/>\n&#8211; try to fail login 3 times in few minute and you should not be able access any page in your WP. Only ports 80 and 443 are blocked. This means you still will be able to ssh to your server.<\/p>\n<h2>How to remove an IP from the block<\/h2>\n<p>First of all put all your known IP in the in \/etc\/fail2ban\/jail.local in the vaiable knownip.<br \/>\nThis will protect your locations with fixed to avoid to be banned. In case it happened, first of all login via ssh into your server.<br \/>\ncheck the status of your firewall<\/p>\n<div class=\"linux-command\">#&gt;service iptables status<br \/>\n&#8230;<br \/>\nChain FORWARD (policy ACCEPT)<br \/>\nnum target prot opt source destinationChain OUTPUT (policy ACCEPT)<br \/>\nnum target prot opt source destination<\/p>\n<p>Chain f2b-SSH (1 references)<br \/>\nnum target prot opt source destination<br \/>\n1 REJECT all &#8212; aa.bb.cc.dd 0.0.0.0\/0 reject-with icmp-port-unreachable<br \/>\n2 REJECT all &#8212; ee.ff.gg.gg 0.0.0.0\/0 reject-with icmp-port-unreachable<br \/>\n3 RETURN all &#8212; 0.0.0.0\/0 0.0.0.0\/0<br \/>\n&#8230;<\/p>\n<\/div>\n<p>As you can see there is the list of each chain (forward, output, f2b-SSH, &#8230;) with the rules implemented one by one. If you want to remove the block for the ip ee.ff.gg.hh, just ask iptables to remove the 2nd rules for the chian f2b-SSH<\/p>\n<div class=\"linux-command\">iptables -D f2b-SSH 2<\/div>\n<p>That&#8217;s all!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Brutal force login is one of the common attack to your WordPress. We want to block people after the 3rd wrong login, to be correct we will block any IP from where we receive 3 failed login attempts in a short time. Let&#8217;s see how to do it: Prerequisite: your WordPress is installed on a [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[3,2,32],"tags":[35,6,36,34],"class_list":["post-135","post","type-post","status-publish","format-standard","hentry","category-linux","category-server","category-wordpress","tag-brute-force-attack","tag-fail2ban","tag-iptables","tag-login","no-thumb"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.6 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Protect WordPress Login with Fail2Ban - I Love Secure<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.ilovesecure.com\/index.php\/2015\/09\/22\/protect-wordpress-login-with-fail2ban\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Protect WordPress Login with Fail2Ban - I Love Secure\" \/>\n<meta property=\"og:description\" content=\"Brutal force login is one of the common attack to your WordPress. We want to block people after the 3rd wrong login, to be correct we will block any IP from where we receive 3 failed login attempts in a short time. Let&#8217;s see how to do it: Prerequisite: your WordPress is installed on a [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.ilovesecure.com\/index.php\/2015\/09\/22\/protect-wordpress-login-with-fail2ban\/\" \/>\n<meta property=\"og:site_name\" content=\"I Love Secure\" \/>\n<meta property=\"article:published_time\" content=\"2015-09-22T20:41:35+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2018-10-05T18:54:15+00:00\" \/>\n<meta name=\"author\" content=\"secureadm\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"secureadm\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.ilovesecure.com\/index.php\/2015\/09\/22\/protect-wordpress-login-with-fail2ban\/\",\"url\":\"https:\/\/www.ilovesecure.com\/index.php\/2015\/09\/22\/protect-wordpress-login-with-fail2ban\/\",\"name\":\"Protect WordPress Login with Fail2Ban - I Love Secure\",\"isPartOf\":{\"@id\":\"https:\/\/www.ilovesecure.com\/#website\"},\"datePublished\":\"2015-09-22T20:41:35+00:00\",\"dateModified\":\"2018-10-05T18:54:15+00:00\",\"author\":{\"@id\":\"https:\/\/www.ilovesecure.com\/#\/schema\/person\/4f0f645b7843e70f478415155f2b0b07\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.ilovesecure.com\/index.php\/2015\/09\/22\/protect-wordpress-login-with-fail2ban\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.ilovesecure.com\/index.php\/2015\/09\/22\/protect-wordpress-login-with-fail2ban\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.ilovesecure.com\/index.php\/2015\/09\/22\/protect-wordpress-login-with-fail2ban\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.ilovesecure.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Protect WordPress Login with Fail2Ban\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.ilovesecure.com\/#website\",\"url\":\"https:\/\/www.ilovesecure.com\/\",\"name\":\"I Love Secure\",\"description\":\"Security step by step\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.ilovesecure.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.ilovesecure.com\/#\/schema\/person\/4f0f645b7843e70f478415155f2b0b07\",\"name\":\"secureadm\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.ilovesecure.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/7ae680ceca3544c8a37149e6254db758ee7c1ecefd5c6ad34aa972b9c5bfd1d0?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/7ae680ceca3544c8a37149e6254db758ee7c1ecefd5c6ad34aa972b9c5bfd1d0?s=96&d=mm&r=g\",\"caption\":\"secureadm\"},\"url\":\"https:\/\/www.ilovesecure.com\/index.php\/author\/secureadm\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Protect WordPress Login with Fail2Ban - I Love Secure","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.ilovesecure.com\/index.php\/2015\/09\/22\/protect-wordpress-login-with-fail2ban\/","og_locale":"en_US","og_type":"article","og_title":"Protect WordPress Login with Fail2Ban - I Love Secure","og_description":"Brutal force login is one of the common attack to your WordPress. We want to block people after the 3rd wrong login, to be correct we will block any IP from where we receive 3 failed login attempts in a short time. Let&#8217;s see how to do it: Prerequisite: your WordPress is installed on a [&hellip;]","og_url":"https:\/\/www.ilovesecure.com\/index.php\/2015\/09\/22\/protect-wordpress-login-with-fail2ban\/","og_site_name":"I Love Secure","article_published_time":"2015-09-22T20:41:35+00:00","article_modified_time":"2018-10-05T18:54:15+00:00","author":"secureadm","twitter_card":"summary_large_image","twitter_misc":{"Written by":"secureadm","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.ilovesecure.com\/index.php\/2015\/09\/22\/protect-wordpress-login-with-fail2ban\/","url":"https:\/\/www.ilovesecure.com\/index.php\/2015\/09\/22\/protect-wordpress-login-with-fail2ban\/","name":"Protect WordPress Login with Fail2Ban - I Love Secure","isPartOf":{"@id":"https:\/\/www.ilovesecure.com\/#website"},"datePublished":"2015-09-22T20:41:35+00:00","dateModified":"2018-10-05T18:54:15+00:00","author":{"@id":"https:\/\/www.ilovesecure.com\/#\/schema\/person\/4f0f645b7843e70f478415155f2b0b07"},"breadcrumb":{"@id":"https:\/\/www.ilovesecure.com\/index.php\/2015\/09\/22\/protect-wordpress-login-with-fail2ban\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.ilovesecure.com\/index.php\/2015\/09\/22\/protect-wordpress-login-with-fail2ban\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.ilovesecure.com\/index.php\/2015\/09\/22\/protect-wordpress-login-with-fail2ban\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.ilovesecure.com\/"},{"@type":"ListItem","position":2,"name":"Protect WordPress Login with Fail2Ban"}]},{"@type":"WebSite","@id":"https:\/\/www.ilovesecure.com\/#website","url":"https:\/\/www.ilovesecure.com\/","name":"I Love Secure","description":"Security step by step","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.ilovesecure.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.ilovesecure.com\/#\/schema\/person\/4f0f645b7843e70f478415155f2b0b07","name":"secureadm","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.ilovesecure.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/7ae680ceca3544c8a37149e6254db758ee7c1ecefd5c6ad34aa972b9c5bfd1d0?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/7ae680ceca3544c8a37149e6254db758ee7c1ecefd5c6ad34aa972b9c5bfd1d0?s=96&d=mm&r=g","caption":"secureadm"},"url":"https:\/\/www.ilovesecure.com\/index.php\/author\/secureadm\/"}]}},"_links":{"self":[{"href":"https:\/\/www.ilovesecure.com\/index.php\/wp-json\/wp\/v2\/posts\/135","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ilovesecure.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ilovesecure.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ilovesecure.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ilovesecure.com\/index.php\/wp-json\/wp\/v2\/comments?post=135"}],"version-history":[{"count":14,"href":"https:\/\/www.ilovesecure.com\/index.php\/wp-json\/wp\/v2\/posts\/135\/revisions"}],"predecessor-version":[{"id":194,"href":"https:\/\/www.ilovesecure.com\/index.php\/wp-json\/wp\/v2\/posts\/135\/revisions\/194"}],"wp:attachment":[{"href":"https:\/\/www.ilovesecure.com\/index.php\/wp-json\/wp\/v2\/media?parent=135"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ilovesecure.com\/index.php\/wp-json\/wp\/v2\/categories?post=135"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ilovesecure.com\/index.php\/wp-json\/wp\/v2\/tags?post=135"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}