Fail2Ban - WordPress Login

Hello,

My server is currently undergoing intense bruteforce attacks against WordPress login pages. All my websites are extremely slow due to these attacks. I have 40+ websites on my server.
I searched for a way for blocking all these attacks at once with fail2ban and found a lot of tutorials but none of them are working for me. I’m still receiving attacks and while testing, I’m not getting blocked.
I’m using Hestia 1.3.0 with Nginx + PHP-FPM

Does anyone have a working tutorial?

Thank you

Now I’m using WP Fail2Ban plugin in one of the websites and still not lucky, copied filter.d/* files to /etc/fail2ban/filter.d and using this on nano /etc/fail2ban/jail.local:

...
[wordpress-hard]
enabled = true
filter = wordpress-hard
logpath = /var/log/messages
maxretry = 1
port = http,https

Already restarted fail2ban service. Anyone knows what am I missing? Thank you

Probaly the log path is wrong, attacks didnt get logged there because the user hasnt enough rights to write in that specific logs. I dont know where wordpress log this messages per default.

Probaly you want to install the wordfence plugin, aswell as start protect your websites behind cloudflare. Also you could start blocking the attacker ips with iptables, for this step, check each access logs of your website.

Welcome in the real life of a sysadmin :slight_smile:.

You’re right, I changed the log path to /var/log/nginx/domains/*.log and it’s working now. I’ll check wordfence and cloudflare solutions. I used free cloudflare plan in the past but I was getting problems with Letsencrypt renewels. I’ll try again soon. Thanks a lot.

1 Like

I suggest adding apache basic auth to the login page. It stops the attack before it generates any PHP, which is the CPU-intensive part.
eg. Create a file in /home/user/conf/web/domain.com/apache2.conf_secure and apache2.ssl.conf_secure with the following

<Files wp-login.php>
 AuthUserFile /path/to/file
 AuthName "Private"
 AuthType Basic
 require valid-user
</Files>

If you have 40 sites, you could probably automate this.

You could also thy this:

Settings (Cog icon at the top) > Firewall > Manage IP Lists > Add IP list > Type a name (1st box), select [ipv4] Block Malicious IPs (2nd box) > Save

This will block a lot of malicious IPs which might be taking part in the attacks.

Next have a look at this post which might save you some more system resources.

1 Like