update: 2020:

last time checked fail2ban was INCOMPATIBLE with nftables (next version of iptables)

so either one uninstalls nftables and installs “pure” iptables

fail2ban might not do what is expected.

might also be interesting: automatically banning ssh bruteforce via cron + bash scripts

there are super-clever script-kiddies using stuff like wpscan to attack your wordpress, but also whole companies from israel are offering tools to nuke off your webserver with “rented” DDoS attacks.

thanks a alot. you know this traffic consumes resources adding to climate-change, not all servers are powered on renewable energies.

if i check my stats, wp-login.php is the MOST VIEWED PAGE on EVERY wordpress installation…

1,302 different pages-url Viewed Average size Entry Exit
/wp-login.php 108,371 3.81 KB 912 829

this kind of sucks because you know it’s beeing attacked, consuming awefull (apache2) amounts of memory (every new apache2 instance starts with reserving 80MByte of memory?)… making apache2 or mysql fail 😀

the apache2 server-logs with vestacp.com are stored here:

[cc lang=”bash” escaped=”true” width=”600″]
/var/log/apache2/domains
[/cc]

in separate files for every domain, and also used by vstats/awstats.

[cc lang=”bash” escaped=”true” width=”600″]
vim /etc/fail2ban/filter.d/wp-login.conf; # create new rules-file for wordpress

# and fill it with:
# WP brute force attacks filter
[Definition]
failregex = ^ .* “POST .*wp-login.php
ignoreregex =

# save and quit
# test the rule:
fail2ban-regex /var/log/apache2/domains/domain.com.log /etc/fail2ban/filter.d/wp-login.conf; # test filter-rule

Running tests
=============

Use failregex file : /etc/fail2ban/filter.d/wp-login.conf
Use log file : /var/log/apache2/domains/domain.com.log

Results
=======

Failregex: 23614 total
|- #) [# of hits] regular expression
| 1) [23614] ^ .* “POST .*wp-login.php
`-

Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
| [93665] Day/MONTH/Year:Hour:Minute:Second
`-

Lines: 93665 lines, 0 ignored, 23614 matched, 70051 missed
Missed line(s): too many to print. Use –print-all-missed to print all 70051 lines

# make changes permanent
# Every .conf file can be overridden with a file named .local. The .conf file is read first, then .local, with later settings overriding earlier ones.

vim /etc/fail2ban/jail.local; # open fail2ban config file
# and add those lines to the end of the file:

[wp-login]
enabled = true
port = http,https
action = iptables-multiport[name=WP, port=”http,https”, protocol=tcp]
sendmail-whois[name=fail2ban-wp-bruteforce, dest=adminOfServer@domain.com]
filter = wp-login
logpath = /var/log/apache2/domains/*.log
maxretry = 5

# The sendmail-whois action will send notifications to the specified email address.
# save and quit and restart fail2ban

# you probably also want to increase bantime

vim /etc/fail2ban/jail.conf;

# search for bantime and set it to something like:

[DEFAULT]
bantime = 10800 ;3 hours
findtime = 86400 ;1 day
maxretry = 5

service fail2ban restart; # restart

# check out the fail2ban log files
less /var/log/fail2ban.log;
[/cc]

While you are here: Secure Apache2 to prevent DDoS

i will inform you if that method was effective.

Mail-Reports:

If you want fail2ban send mail reports over it’s activity per default look here.

pretty soon after fail2ban starts it’s work, i realize, i am beeing attacked… from the Ukraine.

[cc lang=”bash” escaped=”true” width=”600″]
Hi,

The IP 91.200.12.83 has just been banned by Fail2Ban after
5 attempts against fail2ban-wp-bruteforce.

Here is more information about 91.200.12.83:

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
% To receive output for a database update, use the “-B” flag.

% Information related to ‘91.200.12.0 – 91.200.15.255’

% Abuse contact for ‘91.200.12.0 – 91.200.15.255’ is ‘noc@lugalink.net’

inetnum: 91.200.12.0 – 91.200.15.255
netname: VHOSTER-NET
org: ORG-PS152-RIPE
remarks:
remarks: **********************************Attention***************************************
remarks: The pool is used other Department!
remarks: In case of questions related to SPAM, HACKING, SECURITY
remarks: Please contact directly abuse@vhoster.net
remarks: tel: +38 (044) 228-14-42; +38 (050) 472-06-34; +7 (499) 403-18-26
remarks: ***********************************************************************************
remarks:
country: UA
admin-c: NASA-RIPE
tech-c: DVC31-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-END-MNT
mnt-by: VHOSTER-MNT
mnt-by: GLUBINA-MNT
mnt-routes: VHOSTER-MNT
mnt-domains: VHOSTER-MNT
created: 2007-09-21T12:32:02Z
last-modified: 2016-04-14T10:20:25Z
source: RIPE

organisation: ORG-PS152-RIPE
org-name: PP SKS-LUGAN
org-type: LIR
address: Lenina
address: 93400
address: Sev
address: UKRAINE
phone: +380665258035
fax-no: +380665258035
admin-c: TAU-RIPE
abuse-c: AR17440-RIPE
mnt-ref: RIPE-NCC-HM-MNT
mnt-ref: LUGAN-MNT
mnt-by: RIPE-NCC-HM-MNT
mnt-by: LUGAN-MNT
created: 2013-09-25T08:41:49Z
last-modified: 2016-07-11T07:26:07Z
source: RIPE # Filtered

person: Dmitrij Chaban
address: Ukraine
phone: +38 044 3310636
nic-hdl: DVC31-RIPE
mnt-by: VHOSTER-MNT
created: 2012-07-18T16:24:15Z
last-modified: 2016-03-05T04:35:23Z
source: RIPE # Filtered

person: Novohatskiy Sergey Aleksandrovich
address: Ukraine
mnt-by: NASA-MNT
phone: +380 6442 50220
nic-hdl: NASA-RIPE
created: 2010-12-27T12:01:51Z
last-modified: 2015-07-22T10:24:53Z
source: RIPE # Filtered

% Information related to ‘91.200.12.0/22AS35804’

route: 91.200.12.0/22
descr: PP “SKS-Lugan”
origin: AS35804
mnt-by: GLUBINA-MNT
created: 2013-09-24T07:15:34Z
last-modified: 2013-09-24T07:20:31Z
source: RIPE

% This query was served by the RIPE Database Query Service version 1.87.4 (DB-1)

Regards,

Fail2Ban
[/cc]

pretty nice…. the report, not the attack.

Links:

http://www.fail2ban.org/wiki/index.php/MANUAL_0_8

liked this article?

  • only together we can create a truly free world
  • plz support dwaves to keep it up & running!
  • (yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
  • really really hate advertisement
  • contribute: whenever a solution was found, blog about it for others to find!
  • talk about, recommend & link to this blog and articles
  • thanks to all who contribute!
admin