All HowTo's Cyber-Security Redhat, Fedora and CentOS Linux Web Servers

Using Fail2Ban to Protect WordPress Logins (CentOS)

This article demonstrates how to use Fail2Ban to block IP addresses attempting to compromise a WordPress instance via the login process. In this walk-through, we’re using CentOS 7 and FirewallD. Just be aware that if you’re using a caching service like CloudFlare, you can’t use this method because you’ll block the cache and not the source of the traffic.

Install Fail2Ban:

yum install fail2ban fail2ban-firewalld

Edit the “/etc/fail2ban/jail.conf” file. Add the following chunk to the bottom of that file. Notice the log file to be monitored. You can either specify it exactly or use a wild-card:

enabled = true
action = iptables-multiport[name=wordpress, port="http,https", protocol=tcp]
port = http,https
filter = apache-wordpress-login
logpath = /var/log/httpd/*_log
bantime = 36000
findtime = 600
maxretry = 1

And modify the “ignoreip” line to include the IP that you’re coming from (so you don’t get kicked out):

ignoreip = ::1 my.ip.address

And set the following to ensure FirewallD is assumed:

#banaction = iptables-multiport
banaction = firewallcmd-ipset

Create the file “/etc/fail2ban/filter.d/apache-wordpress-login.conf” and enter the following content:

mode = normal
failregex = ^ .* "POST .*wp-login.php

Enable and Start Fail2Ban:

systemctl enable fail2ban
systemctl start fail2ban

Check the status of Fail2Ban blocking hosts:

fail2ban-client status apache-wordpress-login
firewall-cmd --list-all
iptables -L -n
tail -f /var/log/fail2ban.log

Leave a Reply

Your email address will not be published. Required fields are marked *