Fail2ban + CSF for Blocking WordPress Brute Force Attacks?
The WordPress Problem
The most popular CMS online has some of the poorest security out there. And no, plugins are not the answer. (A) Plugins are just PHP which is fairly trivial to bypass for certain kinds of exploits/hacks. (2) Plugins are part of the WordPress ecosystem. Trying to protect something with itself is not really security. Another problem is that WordPress sends http status code 200 (OK), and doesn't log failures. That doesn't help matter any. fail2ban to the Rescue? For the past few months, I've been trying to leverage fail2ban server-wide to protect WordPress sites. But I've had issues getting this to work well on cPanel servers (CentOS or CloudLinux). In Plesk, this would likely have been a trivial matter. Myself and Brent from Veerotech are attempting to solve this. (Like myself, that's a host that takes security very seriously! Excellent host if you need a new one!) However, others may find it interesting, so we're making it a public thread. If the last few bugs Can be worked out, a guide will be created on the main site. fail2ban Guides A guide to install and configure fail2ban with CSF was already written: - How to Install fail2ban with CSF/LFD in cPanel, Part 1 - How to Install fail2ban with CSF/LFD in cPanel, Part 2 That works fine, although it could use some tweaks. Most of those have been resolved, and are found in this thread. Additionally, I want to write "How to Block WordPress Brute Force Attacks Using fail2ban" based on this thread. (How to protect/secure WP on virtual servers (VPS) and dedicated servers.) The CentOS Logging Problem Ideally, fail2ban would automatically see failed logins and ban after X failed attempts. On a Plesk based server, all you'd need to do is search: Code:
logpath = /var/www/vhosts/*/statistics/logs/access_log Code:
failregex = <HOST>.*] "POST /wp-login.php As of now, the only foolproof way to use fail2ban with WordPress is to add code in the functions.php of a theme -- or use a WordPress plugin that essentially does the same thing (WP fail2ban). The problem with that, however, is that it still relies on users to install the plugin. But some will be stubborn about it ("My blog security is fine!"), and others will remain oblivious even when told. So this "solution" isn't really a solution at all for server admins. Further complicating matters is the sudden freakout over RSYSLOG, which may be blown out of proportion from knee-jerk "the sky is falling!" style server admin'ing. Using fail2ban with the WP plugin method requires rsyslog injection. CSF now gives a big scary warning by default (option 0), which can be turned off (option 2), but option 1 and 3 would kill the plugin method. I've already tested this. See also: http://www.webhostingtalk.com/showthread.php?t=1344458 fail2ban Guides - Redux The improved guides will send fai2ban alert emails to the server admin (from fail2ban@hostname), copy banned IPs into the CSF GUI (Firewall Deny IPs), and permanently ban repeat attackers. Several new config files are added (use nano!), and several existing ones are tweaked. Tweak fail2ban jail config Location: /etc/fail2ban/jail.conf The default fail2ban jail.conf is largely gutted, as most of it does not apply for CSF integrations. CSF/LFD already does most of what fail2ban does. fail2ban is only being used for the tasks that CSF/LDF cannot perform. (The commented notes are also moved to the tail end of a file, as I find the constant comment injections annoying.) Code:
# Fail2Ban jail config file Location: /etc/fail2ban/action.d/csf-ip-deny.conf Code:
# CSF / fail2ban integration from The Digital FAQ (digitalFAQ.com) Location: /etc/fail2ban/filter.d/wordpress.conf Code:
# WordPress fail2ban protection from The Digital FAQ (digitalFAQ.com) Location: /etc/fail2ban/filter.d/fail2ban.conf Code:
[Definition] Location: /etc/fail2ban/action.d/sendmail-whois.conf This tweaks the email alerts sent by the server. Instead of needlessly verbose and partially missing (not part of the WP syntax!) mail text, this is more elegant/brief. Code:
# Fail2Ban sendmail-whois configuration file Code:
Subject: [Fail2Ban] WordPress: banned 1.2.3.4 from server.hostname Code:
Stopping fail2ban: [FAILED] The WordPress plugin method is working fine on my testing/dev server. But I'm having trouble re-creating the issue on two other production (in-use) servers. Dev: cPanel CentOS 6 x64 Apache + Varnish Server 1: cPanel CentOS 6 x64 Apache + nginx reverse proxy Server 2: cPanel CentOS 6 x64 Apache Even with newly deployed WP 3.8.1 test sites, using only the WP fail2ban plugin, it's not blocking. (At this time, rolling back to 3.7.1 has not been tested. The test site in the dev server does currently run 3.7.1, but that should not matter.) Server 1 is not logging the WP failures in /var/log/messages at all. Server 2 is, but the banning by fail2ban still is not happening correctly. I can only guess that I've missed something? This is tested from yet another testing/dev server (Windows) via RDP in a browser. This server is not whitelisted by the firewall for the purpose of testing. The rsyslog service was also restarted, but that had no effect. To Be Continued... Much of what we do here at The Digital FAQ is undocumented. We don't follow guides, we write them! Everything from ATI AIW cards on Windows 7 (video hardware drive tweaks), to Avisynth filter re-writes (video software mods/hacks), to WordPress customizations. It's what we do. This one just isn't working correctly yet. I share the info here in hopes that others may have some ideas. :unsure: Thanks! |
It looks like the logs are at:
Code:
/usr/local/apache/domlogs/* Maybe if the failures was put higher, like 20 per day, and/or the blog owner's static IPs were whitelisted by the rule, it would work. Legitimate users should not log in 20 times (and if they do, honestly, that person is a dumb@ss). The only concern would be blog owners that are OCD, and log in all day long. Hmm.... :hmm: This is where I need outside input. :unsure: Must we wait on WordPress to fix the 200 flaw, and make it 401? Or will they be stubborn and leave it as a 200? |
Site design, images and content © 2002-2024 The Digital FAQ, www.digitalFAQ.com
Forum Software by vBulletin · Copyright © 2024 Jelsoft Enterprises Ltd.