Go Back    Forum > Digital Publishing / Web Sites > Website and Server Troubleshooting

Reply
 
LinkBack Thread Tools
  #1  
02-06-2014, 06:27 AM
kpmedia's Avatar
kpmedia kpmedia is offline
Site Staff | Web Hosting, Photo
 
Join Date: Feb 2004
Posts: 4,311
Thanked 374 Times in 341 Posts
The WordPress Problem

The most popular CMS online has some of the poorest security out there. And no, plugins are not the answer.
(A) Plugins are just PHP which is fairly trivial to bypass for certain kinds of exploits/hacks.
(2) Plugins are part of the WordPress ecosystem. Trying to protect something with itself is not really security.

Another problem is that WordPress sends http status code 200 (OK), and doesn't log failures. That doesn't help matter any.


fail2ban to the Rescue?

For the past few months, I've been trying to leverage fail2ban server-wide to protect WordPress sites. But I've had issues getting this to work well on cPanel servers (CentOS or CloudLinux). In Plesk, this would likely have been a trivial matter.

Myself and Brent from Veerotech are attempting to solve this. (Like myself, that's a host that takes security very seriously! Excellent host if you need a new one!) However, others may find it interesting, so we're making it a public thread. If the last few bugs Can be worked out, a guide will be created on the main site.


fail2ban Guides

A guide to install and configure fail2ban with CSF was already written:
- How to Install fail2ban with CSF/LFD in cPanel, Part 1
- How to Install fail2ban with CSF/LFD in cPanel, Part 2

That works fine, although it could use some tweaks. Most of those have been resolved, and are found in this thread. Additionally, I want to write "How to Block WordPress Brute Force Attacks Using fail2ban" based on this thread. (How to protect/secure WP on virtual servers (VPS) and dedicated servers.)


The CentOS Logging Problem

Ideally, fail2ban would automatically see failed logins and ban after X failed attempts.

On a Plesk based server, all you'd need to do is search:
Code:
logpath = /var/www/vhosts/*/statistics/logs/access_log
And then filter for:
Code:
failregex = <HOST>.*] "POST /wp-login.php
But the problem is that cPanel doesn't seem to log errors the way that Plesk does. Maybe it's there, and I'm just not seeing it? See next post!

As of now, the only foolproof way to use fail2ban with WordPress is to add code in the functions.php of a theme -- or use a WordPress plugin that essentially does the same thing (WP fail2ban). The problem with that, however, is that it still relies on users to install the plugin. But some will be stubborn about it ("My blog security is fine!"), and others will remain oblivious even when told. So this "solution" isn't really a solution at all for server admins.

Further complicating matters is the sudden freakout over RSYSLOG, which may be blown out of proportion from knee-jerk "the sky is falling!" style server admin'ing. Using fail2ban with the WP plugin method requires rsyslog injection. CSF now gives a big scary warning by default (option 0), which can be turned off (option 2), but option 1 and 3 would kill the plugin method. I've already tested this.

See also: http://www.webhostingtalk.com/showthread.php?t=1344458


fail2ban Guides - Redux

The improved guides will send fai2ban alert emails to the server admin (from fail2ban@hostname), copy banned IPs into the CSF GUI (Firewall Deny IPs), and permanently ban repeat attackers. Several new config files are added (use nano!), and several existing ones are tweaked.

Tweak fail2ban jail config

Location: /etc/fail2ban/jail.conf

The default fail2ban jail.conf is largely gutted, as most of it does not apply for CSF integrations. CSF/LFD already does most of what fail2ban does. fail2ban is only being used for the tasks that CSF/LDF cannot perform. (The commented notes are also moved to the tail end of a file, as I find the constant comment injections annoying.)

Code:
# Fail2Ban jail config file

[DEFAULT]
ignoreip = 127.0.0.1/8
bantime  = 21600
findtime  = 86400
maxretry = 10
backend = auto
usedns = warn
destemail = root@localhost
banaction = iptables-multiport
mta = sendmail
protocol = tcp
chain = INPUT

[wordpress]
enabled = true
filter = wordpress
action = csf-ip-deny[name=wordpress]
         sendmail-whois[name=WordPress]
logpath  = /var/log/messages
bantime  = 21600
findtime  = 86400
maxretry = 10

[fail2ban]
enabled = true
filter = fail2ban
action = iptables-allports[name=fail2ban]
logpath = /var/log/fail2ban.log
maxretry = 5
findtime = 604800
bantime = -1

###########################################################

# Rules from The Digital FAQ (digitalFAQ.com)
# 21600 = 6 hours
# 86400 = 24 hours / 1 day
# 604800 = 7 days / 1 week
# wordpress - 10 tries in 24 hours = 6 hour ban, email generated
# fail2ban - 50 tries in 7 days = permanent ban, silent ban

###########################################################

# "backend" specifies the backend used to get files modification.
# This option can be overridden in each jail as well.
# -pyinotify: requires pyinotify (a file alteration monitor) to be installed.
# -gamin: requires Gamin (a file alteration monitor) to be installed.
# -polling:  uses a polling algorithm which does not require external libraries.
# -auto: will try to use the following backends, in order: pyinotify, gamin, polling.

# "usedns" specifies if jails should trust hostnames in logs,
# warn when DNS lookups are performed, or ignore all hostnames in logs
# -yes: if hostname is encountered, DNS lookup performed.
# -warn: if hostname is encountered, DNS lookup performed, but logged as warning.
# -no: if hostname is encountered, will not be used for banning, but logged as info.
Add CSF integration

Location: /etc/fail2ban/action.d/csf-ip-deny.conf

Code:
# CSF / fail2ban integration from The Digital FAQ (digitalFAQ.com)

[Definition]
actionstart =
actionstop =
actioncheck =
actionban = csf -d <ip> Added by Fail2Ban for <name>
actionunban = csf -dr <ip>

[Init]
name = default
Add WordPress fail2ban filter

Location: /etc/fail2ban/filter.d/wordpress.conf

Code:
# WordPress fail2ban protection from The Digital FAQ (digitalFAQ.com)

[INCLUDES]
before = common.conf

[Definition]
_daemon = wordpress
failregex = ^%(__prefix_line)sAuthentication failure for .* from <HOST>$
ignoreregex =

##########################################

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
# ^ ignore blog owner IP addresses!
Add fail2ban filter - permanently ban repeat failures

Location: /etc/fail2ban/filter.d/fail2ban.conf

Code:
[Definition]
failregex = fail2ban.actions: WARNING \[(.*)\] Ban <HOST>
ignoreregex = fail2ban.actions: WARNING \[fail2ban\] Ban <HOST>
Tweak email alerts (sendmail-whois)

Location: /etc/fail2ban/action.d/sendmail-whois.conf

This tweaks the email alerts sent by the server. Instead of needlessly verbose and partially missing (not part of the WP syntax!) mail text, this is more elegant/brief.

Code:
# Fail2Ban sendmail-whois configuration file
# Optimized for WordPress by The Digital FAQ (digitalFAQ.com)

[INCLUDES]
before = sendmail-common.conf

[Definition]
actionstart = printf %%b "Subject: [Fail2Ban] <name>: started on `uname -n`
              Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
              From: <sendername> <<sender>>
              To: <dest>\n\n
              The jail <name> has been started successfully.\n
              " | /usr/sbin/sendmail -f <sender> <dest>
actionstop = printf %%b "Subject: [Fail2Ban] <name>: stopped on `uname -n`
             Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
             From: <sendername> <<sender>>
             To: <dest>\n\n
             The jail <name> has been stopped.\n
             " | /usr/sbin/sendmail -f <sender> <dest>
actioncheck =
actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
            Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
            From: <sendername> <<sender>>
            To: <dest>\n\n
            <ip> was banned by Fail2Ban after <failures> attempts against <name>.\n
            " | /usr/sbin/sendmail -f <sender> <dest>
actionunban =

[Init]
name = default

#############################################

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
Code:
Subject: [Fail2Ban] WordPress: banned 1.2.3.4 from server.hostname
From: Fail2Ban [fail2ban@server.hostname]
To: root@hostname
Body: 1.2.3.4 was banned by Fail2Ban after 10 attempts against WordPress.
Don't forget to restart fail2ban for the first time!

Code:
Stopping fail2ban:                                         [FAILED]
Starting fail2ban:                                         [  OK  ]
fail2ban Problems

The WordPress plugin method is working fine on my testing/dev server. But I'm having trouble re-creating the issue on two other production (in-use) servers.

Dev: cPanel CentOS 6 x64 Apache + Varnish
Server 1: cPanel CentOS 6 x64 Apache + nginx reverse proxy
Server 2: cPanel CentOS 6 x64 Apache

Even with newly deployed WP 3.8.1 test sites, using only the WP fail2ban plugin, it's not blocking. (At this time, rolling back to 3.7.1 has not been tested. The test site in the dev server does currently run 3.7.1, but that should not matter.)

Server 1 is not logging the WP failures in /var/log/messages at all.
Server 2 is, but the banning by fail2ban still is not happening correctly. I can only guess that I've missed something?

This is tested from yet another testing/dev server (Windows) via RDP in a browser. This server is not whitelisted by the firewall for the purpose of testing.

The rsyslog service was also restarted, but that had no effect.


To Be Continued...

Much of what we do here at The Digital FAQ is undocumented. We don't follow guides, we write them! Everything from ATI AIW cards on Windows 7 (video hardware drive tweaks), to Avisynth filter re-writes (video software mods/hacks), to WordPress customizations. It's what we do.

This one just isn't working correctly yet. I share the info here in hopes that others may have some ideas.

Thanks!

- Did my advice help you? Then become a Premium Member and support this site.
- Please Like Us on Facebook | Follow Us on Twitter

- Need a good web host? Ask me for help! Get the shared, VPS, semi-dedicated, cloud, or reseller you need.
Reply With Quote
Someday, 12:01 PM
admin's Avatar
Ads / Sponsors
 
Join Date: ∞
Posts: 42
Thanks: ∞
Thanked 42 Times in 42 Posts
  #2  
02-06-2014, 07:17 AM
kpmedia's Avatar
kpmedia kpmedia is offline
Site Staff | Web Hosting, Photo
 
Join Date: Feb 2004
Posts: 4,311
Thanked 374 Times in 341 Posts
It looks like the logs are at:

Code:
/usr/local/apache/domlogs/*
And if I'm deciphering this correctly, because WordPress fails with a 200 status (OK), then the above POST rule would block all login attempts, not just malicious ones. Unfortunately, we can't log 401 (unauthorized) + the POST.

Maybe if the failures was put higher, like 20 per day, and/or the blog owner's static IPs were whitelisted by the rule, it would work. Legitimate users should not log in 20 times (and if they do, honestly, that person is a dumb@ss). The only concern would be blog owners that are OCD, and log in all day long.

Hmm....

This is where I need outside input.

Must we wait on WordPress to fix the 200 flaw, and make it 401? Or will they be stubborn and leave it as a 200?

- Did my advice help you? Then become a Premium Member and support this site.
- Please Like Us on Facebook | Follow Us on Twitter

- Need a good web host? Ask me for help! Get the shared, VPS, semi-dedicated, cloud, or reseller you need.
Reply With Quote
Reply




Similar Threads
Thread Thread Starter Forum Replies Last Post
Install fail2ban with CSF/LFD in cPanel; sample jail.conf config file kpmedia Web Hosting 8 02-06-2014 07:22 AM
Secure WordPress plugin updated for WordPress 3.4.2+ [DOWNLOAD] kpmedia Website and Server Troubleshooting 0 09-26-2012 06:50 PM
How to force download of WMV file and NOT stream it ? fredphoesh Website and Server Troubleshooting 7 02-09-2012 02:53 PM
What does cPHulk do? cPanel's anti-hacking, brute force protection (cPHulk vs CSF) kpmedia Web Hosting 0 01-10-2012 02:23 AM
Power Rangers Fonts (Mystic Force), where to download ? ninjastriker Author, Make Menus, Slideshows, Burn 1 12-30-2011 09:28 AM

Thread Tools



 
All times are GMT -5. The time now is 04:56 PM