fbpx
  • Domains
  • Hosting
    • Web Hosting
    • WordPress Hosting
    • cPanel Hosting
    • ASP.NET Hosting
  • Resellers
    • Directadmin Resellers
    • cPanel Resellers
  • Servers
    • (EU) Unmanaged VMs
    • (ZA) Unmanaged VMs
    • (ZA) cPanel VMs
  • Design
    • 1-Page Web Design
    • 5-Page Web Design
  • Other
    • Email Marketing
    • SSL Certificates
    • XOVI SEO Tools
    • Marketgoo SEO Tools
    • Sitelock Security
    • Email Security
    • NordVPN
    • Affiliate Program
Login

Tag: bruteforce

Posted on July 9, 2015

Using fail2ban to block WordPress login attacks

Today and in the past few days I’ve been often flooded with POST requests that look like this:

103.19.180.119 - - [09/Jul/2015:10:50:02 +0200] "POST /wp-login.php HTTP/1.1" 403 1139
103.19.180.119 - - [09/Jul/2015:10:50:03 +0200] "POST /wp-login.php HTTP/1.1" 403 1139
103.19.180.119 - - [09/Jul/2015:10:50:04 +0200] "POST /wp-login.php HTTP/1.1" 403 1139
103.19.180.119 - - [09/Jul/2015:10:50:04 +0200] "POST /wp-login.php HTTP/1.1" 403 1139
103.19.180.119 - - [09/Jul/2015:10:50:05 +0200] "POST /wp-login.php HTTP/1.1" 403 1139
103.19.180.119 - - [09/Jul/2015:10:50:06 +0200] "POST /wp-login.php HTTP/1.1" 403 1139

To stop these attacks we found we had to install fail2ban with CSF.

The way to perform this is to install fail2ban first using:

rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
yum install fail2ban

Once installed go to:

/etc/fail2ban

Then edit the jail.local file

add the following:

[wp-auth]
enabled = true
filter = wp-auth
action = csf-ip-deny[name=wordpress port="http,https"]
logpath = /etc/httpd/logs/access_log
bantime = 300
maxretry = 3

Once done

Go to /etc/fail2ban/action.d

create a file called csf-ip-deny.conf

and add the following within it:

# CSF / fail2ban integration
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = csf -d <ip> Added by Fail2Ban for <name>
actionunban = csf -dr <ip>

[Init]

name = default

After that go to /etc/fail2ban/filter.d and create a file called wp-auth.conf

add the following within it:

# WordPress brute force auth filter: /etc/fail2ban/filter.d/wp-auth.conf:
#
# Block IPs trying to auth wp wordpress
#
# Matches e.g.
# 134.255.143.49 - - [24/Jun/2015:13:43:31 +0200] "POST /wp-login.php HTTP/1.1" 200 2930
#
[Definition]
failregex = ^<HOST> .* "POST .*wp-login.php HTTP/1.1 403"
ignoreregex =
actionban = csf -d <ip> Added by Fail2Ban for <name>
actionunban = csf -dr <ip>

Once done restart fail2ban

service fail2ban restart

And now you should find it being blocked within CSF Deny list. 🙂
Posted on July 2, 2015

How To block WordPress Login attacks to 100s of websites on a Shared Server

The script is complete! Currently compatible with cPanel servers.

It creates a new random alphanumeric username and math equation every time it runs. The user is asked to enter the random username and the sum of the two random numbers when accessing any wp-login.php on the server.

Instructions:
1) Run this command in SSH:

Code:
touch /usr/local/apache/conf/includes/wordpressprotect.conf

2) Open /usr/local/apache/conf/includes/pre_virtualhost_global.conf
Remove any other code which you may have added for wp-login.php HTTP protection and add this line at the beginning of the file:

Code:
Include "/usr/local/apache/conf/includes/wordpressprotect.conf"

Now save /usr/local/apache/conf/includes/pre_virtualhost_global.conf

3) Create a shell script, with any name, for example wp-login.sh and add this code:

Code:
echo "Generating random username (6 alphanumeric characters)..."
username=`cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 6 | head -n 1`

echo "Generating two random numbers for math..."
n=$RANDOM
n1=$((RANDOM%20+10))
n2=$((RANDOM%9+1))
result=$(($n1 + $n2))

echo "Creating and saving configuration file..."

CONFFILE="\n
<LocationMatch \"wp-login.php\">\n
AuthType basic\n
AuthName \"WordPress attack protection. Please verify that you are a legitimate user and not an attack bot which attempts to hack this site. DO NOT ENTER HERE YOUR WP-ADMIN USERNAME AND PASSWORD. Enter username: $username Password: The result of math $n1+$n2\"\n
AuthUserFile /home/wp-admin-attack-htpasswd-file\n
Require valid-user\n
</LocationMatch>\n
ErrorDocument 401 \"Authentication required\"\n
\n"


echo -e $CONFFILE > /usr/local/apache/conf/includes/wordpressprotect.conf
/bin/chmod 0755 /usr/local/apache/conf/includes/wordpressprotect.conf
/bin/rm -f /home/wp-admin-attack-htpasswd-file
/usr/local/apache/bin/htpasswd -bc /home/wp-admin-attack-htpasswd-file $username $result
/bin/chmod 0755 /home/wp-admin-attack-htpasswd-file

echo "Restarting Apache (and nginx if exists)..."
/etc/init.d/httpd restart
echo "All done!"

Save it and make it executable:

Code:
chmod +x wp-login.sh

Now, every time you want to create new HTTP authentication credentials for all wp-login.php files on the server, just run this new script.

Code:
./wp-login.sh

Users (or bots  ) visiting any wp-login.php file will be seeing the message in the attached screenshot.

You can create a cron job which runs this script as often as you want, to set a new random username and math equation.
For example, for every 15 minutes:

Code:
*/15 * * * * /path/to/wplogin.sh

Thanks to NetworkPanda on WebHostingTalk.com

Build Your Website with Hostking

From beginner to professional to business, we’ve got you covered!

Get Started
logo-non-transparent

Affordable Website Hosting since 2011

Facebook Twitter Linkedin
Useful Links
  • Home
  • About us
  • Help
  • Contact
  • Terms of Service
  • Privacy Policy
  • AUP Policy
  • GDPR / POPI
  • Login
  • Blog
  • ISPA
  • Affiliates

Copyright ©2023 hostking.io All Rights Reserved