Fail2ban WordPress the easy way

liamgibbins · February 15, 2022, 3:46am

Found this article that makes fail2ban work easily with WordPress.

Just thought I would post a segment of it for anyone interested.

Configure Fail2Ban for WordPress

To protect the WordPress admin panel with Fail2Ban, you will need to download the Fail2ban filter configuration file for WordPress. You can download it with the following command:

$ sudo wget https://plugins.svn.wordpress.org/wp-fail2ban/trunk/filters.d/wordpress-hard.conf -O /etc/fail2ban/filter.d/wordpress.conf

Next, create a Jail for WordPress by editing the file jail.local:

$ sudo nano /etc/fail2ban/jail.d/wordpress.conf

Add the following lines:

[wordpress]
enabled = true
filter = wordpress
logpath = /var/log/auth.log
maxretry = 3
port = http,https
bantime = 300

Save and close the file when you are finished then restart the Fail2Ban service to apply the changes.

$ sudo systemctl restart fail2ban

jlguerrero · February 15, 2022, 11:40am

Hi @liamgibbins, I was wondering if it would be possible to adapt this instructions to update crowdsec instead.

I see that wordpress is writing to auth.log. Does it in hestiacp or do we need a plugin for that?

eris · February 15, 2022, 11:51am

Curstom plugin

jlguerrero · February 15, 2022, 4:48pm

Hello @liamgibbins, I have used your manual and I have not succeeded in configuring fail2ban.

What I have tried so far is to install the WordPress plugin that @eris proposed and then download the wordpress.conf with your command.

The filter in wordpress.conf doesn’t match the entries in /var/log/auth.log so… either it is another plugin or we have to remake the filters.

liamgibbins · February 15, 2022, 8:38pm

Crowdsec has its own wordpress plugin that communicates with crowdsec via api and is authentication via token, it also integrates with cloudflare (just read about it on there website).

Hmm don’t know why it didn’t work its direct from wordpress hmm weird.

Way back when I first installed WordPress I used:

Jail.

[wordpress]
enabled = true
ignoreip = [my primary ip I use to admin the server]
port = http,https
filter = wordpress
action = iptables-multiport[name=wordpress, port=“http,https”, protocol=tcp]
logpath = /var/log/apache2/domains/*.log
maxretry = 5
findtime = 600
bantime = 3600

I ment to do escalated banning but got busy and forgotten about it

Wordpress.conf:
[Definition]
failregex = .POST.(wp-login.php|xmlrpc.php).* 200

I will check this tomorrow (or in the early hours) but I think this should work, not close to my computer at the moment having family time

I might switch to crowdsec but this all depends on how testing goes and how well the devs respond to questions, will be finding out more on that one when I find time to get on there discord (probably next week at this rate).

ram108 · February 19, 2022, 8:04pm

To get it work you have to install WP-Fail2ban plugin also:

Nothing will work without this plugin.

aaronkempf · April 11, 2022, 6:25am

thanks so much for that info

liamgibbins · April 11, 2022, 8:17am

Hmm it did work ages ago, something must have changed somewhere will have another look later today or tomorrow.

Will have to look at the apache2 logs to see why it’s not logging 200 when a user fails a login

nydem · April 19, 2022, 7:57am

Thanks, this information helped me