Protect your Nginx powered ClassicPress / WordPress login page against brute-force password attacks using fail2ban on Debian based Linux

Heyo!

So I looked into my blog stats and noticed something interesting…

There are some very curious people out there… Some of them visited my page thousands of times. I wonder what they were looking at…

Oh…? Why would my He-bro friend looking at my wp-login.php page? Interesting…

The fact is that there are bots / malicious actors out there trying to brute-force your login and password. Why? Because they can. Because they want to. Because reasons.

Anyway. I use strong passwords but I don’t want to tempt the faith so… HOW do I stop those password brute-forcing attempts? What to do? How to live?!

There’s this piece of code called fail2ban and it will do exactly what it says. It will ban anyone that fails to log into your system.

So how do I get it and how to set it up?

Well here is how.

You open a terminal window on your https server and you gain root.

su -

Then you install fail2ban (and midnight commander):

apt install -y fail2ban mc

Next thing is to configure this bugger…

Let’s start with jail.local file

mcedit /etc/fail2ban/jail.local

And paste this into the file (Shift + Insert) and edit the file accordingly:


[DEFAULT]
ignoreip = 127.0.0.1/8
mta = mail
# Replace YourGmailRelay@gmail.com with Your Gmail Relay Email
sender = YourGmailRelay@gmail.com
sendername = Fail2ban
banaction = iptables-allports
# Replace YourGmailRelay@gmail.com with Your Gmail Relay Email
# Set up 2FA and APP Password on your Gmail relay and replace
# YourGmailRelayAppPassword with your APP Password for GMail
# Replace the TheEmailYouWantToReceiveInfoTo@YourDomain.You with your Email address
# where you want your fail2ban reports to be delivered
action = %(action_mw)s[from=YourGmailRelay@gmail.com, password=YourGmailRelayAppPassword, destination=TheEmailYouWantToReceiveInfoTo@YourDomain.You, sendername=Fail2Ban]
# IF I catch this mofo 3 times
maxretry = 3
# During 36000 seconds (10 hours)
findtime = 36000
# I'll ban his ass for 36000 seconds (10 hours)

bantime = 36000

[sshd]
# Change this to true if you want to protect your ssh logins with fail2ban too
enabled = false


[wordpress-wplogin]
enabled = true
filter = wordpress-wplogin
# IF you're not using nginx or the log is located somewhere else - edit the line below
logpath = /var/log/nginx/*_access.log
port = http,https


Save the file (F2) close the file (F10).

Next edit wordpress-wplogin.conf file:

mcedit /etc/fail2ban/filter.d/wordpress-wplogin.conf

Paste this into the file (Shift + Insert):

[Definition]
failregex = ^<HOST> .* "(GET|POST) /+wp-login.php
            ^<HOST> .* "(GET|POST) /+xmlrpc.php

Save the file (F2) close the file (F10).

Next run those two commands:

Replace the TheEmailYouWantToReceiveInfoTo@YourDomain.You with your Email address where you want your fail2ban reports to be delivered

sed -i 's/root@localhost/TheEmailYouWantToReceiveInfoTo@YourDomain.You/g' /etc/fail2ban/jail.conf

Replace YourGmailRelay@gmail.com with Your Gmail Relay Email

sed -i 's/root@<fq-hostname>/YourGmailRelay@gmail.com/g' /etc/fail2ban/jail.conf

Next enable and restart fail2ban

systemctl enable fail2ban && systemctl restart fail2ban

and now check if it’s running:

systemctl status fail2ban

Active: active (running) since Sat 2022-10-29 22:12:35 IST; 1s ago

How to check what jails is fail2ban running?

fail2ban-client status

Status
|- Number of jail: 1
`- Jail list: wordpress-wplogin

How to check status of a specific jail?

fail2ban-client status wordpress-wplogin

Status for the jail: wordpress-wplogin
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /var/log/nginx/some_ssl_access.log
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:

How to unban specific IP from a specific jail?

fail2ban-client set JAILNAME unbanip IPADDRESS

fail2ban-client set wordpress-wplogin unbanip 356.567.789.890

That’s all folks…

Cheers.

Andrzej

Edit: I have asked SloniuPL if he is using or will be using Fail2Ban. He said “No and No” and when asked why he said “I am using wordfence and jetpack, free versions”. IF you don’t want to use fail2ban – there’s an alternative however fail2ban in my opinion gives you more options as it will protect more than just you ClassicPress / WordPress.

AndrzejL

"Never meet Your heroes. Most of the time you'll only end up disappointed." White Polak Male Husband Employee Hetero Carnivorous Fugly Geek @$$hole with ADD Catholic “Some men just want to watch the world burn.”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.