There is a plugin for WordPress that works with fail2ban so you can lock out at the firewall persistent attempts at invalid passords http://wordpress.org/plugins/wp-fail2ban/ it works by login attempts and has a filter too.
However, with so many attacks on admin or administrator, which no one should really use anyway, I have written another filter so you can block these pointless attacks the first time they happen, (but still allowing your regular users a reasonable number of attempts).
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = wordpress
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[w-.^_]+)
# Values: TEXT
#
failregex = ^%(__prefix_line)s(Authentication failure|Blocked authentication attempt) for (?i)(admin|administrator|adminadmin) from <HOST>$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
put the above code into a file called wordpress-admin.conf and place itin your fail2ban/filter.d directory and then add
[wordpress-admin] enabled = true filter = wordpress-admin action = iptables-multiport[name=WORDPRESS-ADMIN, port="http,https", protocol=tcp] sendmail-buffered[name=WORDPRESS-ADMIN, lines=100, dest=yourname@yourdomain] logpath = /var/log/messages maxretry = 1 findtime = 600 bantime = 604800
to your jail.local
restart fail2ban and you are all set to ban any IPs that use admin, administrator or adminadmin for a week
Leave a Reply