Using fail2ban to stop WordPress attacks on Administrator


If you find this free website useful – why don’t you support this with a donation? It is easy…. read more ….

There is a plugin for WordPress that works with fail2ban so you can lock out at the firewall persistent attempts at invalid passords  http://wordpress.org/plugins/wp-fail2ban/ it works  by login attempts and has a filter too.

However, with so many attacks on admin or administrator, which no one should really use anyway, I have written another filter so you can block these pointless attacks the first time they happen, (but still allowing your regular users a reasonable number of attempts).

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]

_daemon = wordpress

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[w-.^_]+)
# Values: TEXT
#
failregex = ^%(__prefix_line)s(Authentication failure|Blocked authentication attempt) for (?i)(admin|administrator|adminadmin) from <HOST>$

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

 

put the above code into a file called   wordpress-admin.conf   and place itin your fail2ban/filter.d directory  and then add

[wordpress-admin]
enabled = true
filter = wordpress-admin
action = iptables-multiport[name=WORDPRESS-ADMIN, port="http,https", protocol=tcp]
sendmail-buffered[name=WORDPRESS-ADMIN, lines=100, dest=yourname@yourdomain]
logpath = /var/log/messages
maxretry = 1
findtime = 600
bantime = 604800

to your jail.local

restart fail2ban and you are all set to ban any IPs that use admin, administrator or adminadmin for a week

, ,

Leave a Reply

Your email address will not be published.