How to ban IP addresses that are brute forcing your wp-login.php and xmlrpc.php with fail2ban on a RunCloud server.

 

Add a WordPress fail2ban filter

Create a wordpress.conf file in /etc/fail2ban/filter.d/

[Definition]
failregex = ^<HOST> .* "POST .*wp-login.php
            ^<HOST> .* "POST .*xmlrpc.php
ignoreregex =

If you just want to ban only one of them just remove one.

 

Add a WordPress fail2ban Jail config

Create a wordpress.conf file in /etc/fail2ban/jail.d/

[wordpress]
enabled = true
port = http,https
filter = wordpress
banaction = firewallcmd-new
logpath = /home/*/logs/nginx/*_access.log
maxretry = 2
findtime = 10800
bantime = 86400

Change the maxretry or bantime or findtime if needed. The logpath uses RunCloud log paths and the banaction value of firewallcmd-new hooks in nicely with iptables to show fail2ban banned IPs in iptables.

 

Restart fail2ban

service fail2ban restart

 

Check fail2ban Log

Check the fail2ban log to ensure everything loads without error

tail -f /var/log/fail2ban.log

 

Check wordpress Jail status

You can check the WordPress jail status

fail2ban-client status wordpress

This will give you the log file list and any banned IP addresses.

 

Manually ban an IP address

fail2ban-client set wordpress banip 1.2.3.4

 

Manually unban an IP address

fail2ban-client set wordpress unbanip 1.2.3.4

 

See banned IPs in iptables from fail2ban

See the lot.

iptables -v -L f2b-wordpress

Or search for a particular one

iptables -nL | grep -i  1.2.3.4

 

Ref & Ref & Ref

4 Comments

  1. Zachary on July 23, 2020 at 8:44 pm

    Unfortunately this bans based on login attempts, not failed logins, and I have multiple sites running on the same server so I happened to hit the ban threshold just by logging in successfully to my websites.

    • Neil Gowran on July 24, 2020 at 2:53 am

      You can whitelist your IP address in the ignoreip attribute

  2. Zachary on July 12, 2020 at 2:13 am

    Could you tell me how to update the failregex to also catch failed logins at a sub directory of /my-account/?

    • Neil Gowran on July 12, 2020 at 7:03 am

      You could do….

      [Definition]
      failregex = ^ .* "POST .*wp-login.php
      ^
      .* "POST .*/my-account/

Leave a Comment