Category Archives: Howto Tutorials (EN)

Knowledge Network for Tutorials, Howto’s, Workaround, DevOps Code for Professionals.

Protect WordPress from Brute-Force-Attacks with Fail2ban

Home  »  Howto Tutorials (EN)
Leave a comment

How To Protect WordPress against Brute-Force-Attacks using Fail2ban

WordPress itself does not offer any protection against brute force attacks. But there are several methods for protection, besides lock-down plugins they blocking IP addresses after every failed login attempt. Another way gives the kernel firewall controlled with Fail2ban. With it the suspicious host is locked out for a certain time.

To Protect your WordPress from Brute-Force-Attacks by Fail2ban, follow this install tutorial.

  To install fail2ban on RHEL then the EPEL repository must be added. Debian provide fail2ban already in the default repository.

$ yum install epel-release

The installation here as root is as follows, a standard configuration is provided, and does not require any further adjustments:

$ yum install fail2ban -y

On Debian and Ubuntu Linux fail2ban is installed as follow.

$ apt install fail2ban -y

After fail2ban is installed on the server, the Apache access_log can be scanned for login attempts.

10.241.83.170 - - [02/Jul/2017:21:23:17 +0200] "POST /xmlrpc.php HTTP/1.1" 200 406
10.241.83.170 - - [02/Jul/2017:21:23:19 +0200] "GET /wp-login.php HTTP/1.1" 200 6387
10.241.83.170 - - [02/Jul/2017:21:23:19 +0200] "POST /wp-login.php HTTP/1.1" 200 6561
10.120.13.157 - - [02/Jul/2017:21:27:55 +0200] "POST /xmlrpc.php HTTP/1.1" 200 406
10.120.13.157 - - [02/Jul/2017:21:27:56 +0200] "GET /wp-login.php HTTP/1.1" 200 6440
10.120.13.157 - - [02/Jul/2017:21:27:56 +0200] "POST /wp-login.php HTTP/1.1" 200 6614

So that fail2ban knows which parsers to search for in the log file. The filter is created by editing with vim or other preferred editors. We create the filter file with use the command vi /etc/fail2ban/filter.d/wp-auth.conf

# WordPress brute force auth filter: /etc/fail2ban/filter.d/wp-auth.conf:
#
# Block IPs trying to auth wp wordpress
#
[Definition]
failregex = ^<HOST> .*"POST \/wp-login\.php HTTP\/.*$
            ^<HOST> .*"POST \/\/wp-login\.php HTTP\/.*$
            ^<HOST> .*"POST \/xmlrpc\.php HTTP\/.*$
            ^<HOST> .*"POST \/\/xmlrpc\.php HTTP\/.*$
ignoreregex =

The main configuration of fail2ban is located in the file /etc/fail2ban/jail.conf, this is copied to jail.local. Or you insert only the filter by add the configuration with vi /etc/fail2ban/jail.local

[wp-auth]
enabled = true
filter = wp-auth
action = iptables-multiport[name=AuthFailures, port="http,https"]
logpath = %(apache_access_log)s
bantime = 1800
maxretry = 5

After 5 login attempts (maxretry) is blocked for 30 min.

Before fail2ban is used, a look is given in /etc/fail2ban/jail.conf, under the section [INCLUDES] the paths of the currently used Linux distribution are defined at the line before = paths-distro.conf, here we use CentOS 7 and the appropriate file /etc/fail2ban/paths-fedora.conf

[INCLUDES]
before = paths-centos.conf

We copy the file paths-fedora.conf to paths-centos.conf. All logs should be read under /var/www/*/logs, adjusting the paths to the Apache logs if necessary.

# apache server log
apache_error_log = /var/log/httpd/*error_log
apache_access_log = /var/log/httpd/*access_log

# apache virtual hosts
apache_error_log = /var/www/*/logs/*error_log
apache_access_log = /var/www/*/logs/*access_log

Under Debian the following content is defined in /etc/fail2ban/jail.conf

[INCLUDES]
before = paths-debian.conf

Now restart fail2ban to activate the filter.

 $ systemctl restart fail2ban

Check fail2ban status as follows.

$ fail2ban-client status wp-auth

Output the iptable status of the filter in the chain.

$ iptables -vnL | grep AuthFailures

The iptables output of the filter AuthFailure follows about a lot.

Chain f2b-AuthFailures (1 references)
 pkts bytes target prot opt in out source destination
 252K 32M RETURN all -- * * 10.241.83.170/0 0.0.0.0/0
 232K 29M RETURN all -- * * 10.120.13.157/0 0.0.0.0/0

If you have locked yourself out by too many failed attempts and tests. You can unlock yourself again with the following command.

$ fail2ban-client set wp-auth unbanip 10.110.51.25

  The advantage of this method is that fail2ban blocks suspicious host for all services, many bots will usually go to the next website to continue try attacks, ssh and ftp requests also go nowhere while ICMP requests remain unanswered for the investigated IP address.

Protect WordPress from Brute-Force-Attacks with Fail2ban

MultiTail to monitor multiple logs

Home  »  Howto Tutorials (EN)
Leave a comment

MultiTail allows tail multiple logs

SysAdmins and developers often need to access multiple log files at the same time during monitoring and control tasks. To achieve this, each log file is usually opened in a new shell. In the traditional wise way, i.e. tail -f /var/log/messages.

However, if you want to run tail logs in real time, MultiTail can be tail multiple logs pulled in.

Install MultiTail on Fedora

The EPEL repository must be added.

yum install epel-release

Install Multitail on Fedora or RHEL as follows.

yum install -y multitail

MultiTail for Debian and Ubuntu

Multitail is installed on Debian with apt-get.

sudo apt-get update
sudo apt-get install multitail

Using MultiTail commands

By default, multitail does the same as tail -f, the files are displayed in real time to open two different files in one window, the basic syntax is:

multitail /var/log/apache2/access.log /var/log/apache2/error.log

For Debian above, and for Red Hat as follows, in addition, netstat -t shows the active connections to the web server:

multitail -cS apache -R 2 -l "netstat -t" /home/www/*/web/logs/access_log

All access_log logs are opened in the logs directories. The Apache Color schema displays the active connections to the web server.

The same output, but the first 3 logfiles in 3 columns, here is an Apache web server on CentOS:

multitail -s 3 -cS apache -R 3 -l "netstat -t" /home/www/*/web/logs/access_log

Pressing the ‘b’ key will display a list of the open log files, which can be selected individually by cursor.

MultiTail allows tail multiple logs
multitail

To scroll through the log files, press ‘b’ and scroll up or down with the cursor keys. For help you press ‘h’ to output the available option in a list.

MultiTail advanced tail features

When scrolling, typing ‘G’ or ‘gg’ can get to the beginning or end of the log file, with ‘q’ you return and then leave multitail.

Postfix also has a color scheme, the syntax for /var/log/maillog as follows:

multitail -cS postfix -n 1000 /var/log/maillog

Many color schemes are defined in the /etc/multitail.conf configuration. For example for Asterisk, Bind, Samba, tcpdump and many more, new ones can be added, or the existing ones can be modified.

To prevent the multitail line with the parameters from having to be re-entered each time, the line can be executed from a script, the following lines can be easily inserted into a terminal:

cat <<EOF> /usr/bin/mtail
#!/bin/bash
multitail -cS apache -l "netstat -t" /home/www/*/web/logs/access_log
EOF

The script /usr/bin/mtail still needs to be made executable:

chmod +x /usr/bin/mtail

Here are just a few basic features of the multitail command. A complete list of options can be found in the multitail man page. With multitail -h the syntax help is output with a wide selection of possible parameters.