Today and in the past few days I’ve been often flooded with POST requests that look like this:
103.19.180.119 - - [09/Jul/2015:10:50:02 +0200] "POST /wp-login.php HTTP/1.1" 403 1139 103.19.180.119 - - [09/Jul/2015:10:50:03 +0200] "POST /wp-login.php HTTP/1.1" 403 1139 103.19.180.119 - - [09/Jul/2015:10:50:04 +0200] "POST /wp-login.php HTTP/1.1" 403 1139 103.19.180.119 - - [09/Jul/2015:10:50:04 +0200] "POST /wp-login.php HTTP/1.1" 403 1139 103.19.180.119 - - [09/Jul/2015:10:50:05 +0200] "POST /wp-login.php HTTP/1.1" 403 1139 103.19.180.119 - - [09/Jul/2015:10:50:06 +0200] "POST /wp-login.php HTTP/1.1" 403 1139 To stop these attacks we found we had to install fail2ban with CSF. The way to perform this is to install fail2ban first using: rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm yum install fail2ban Once installed go to: /etc/fail2ban Then edit the jail.local file add the following: [wp-auth] enabled = true filter = wp-auth action = csf-ip-deny[name=wordpress port="http,https"] logpath = /etc/httpd/logs/access_log bantime = 300 maxretry = 3 Once done Go to /etc/fail2ban/action.d create a file called csf-ip-deny.conf and add the following within it: # CSF / fail2ban integration [Definition] actionstart = actionstop = actioncheck = actionban = csf -d <ip> Added by Fail2Ban for <name> actionunban = csf -dr <ip> [Init] name = default After that go to /etc/fail2ban/filter.d and create a file called wp-auth.conf add the following within it: # WordPress brute force auth filter: /etc/fail2ban/filter.d/wp-auth.conf: # # Block IPs trying to auth wp wordpress # # Matches e.g. # 134.255.143.49 - - [24/Jun/2015:13:43:31 +0200] "POST /wp-login.php HTTP/1.1" 200 2930 # [Definition] failregex = ^<HOST> .* "POST .*wp-login.php HTTP/1.1 403" ignoreregex = actionban = csf -d <ip> Added by Fail2Ban for <name> actionunban = csf -dr <ip> Once done restart fail2ban service fail2ban restart And now you should find it being blocked within CSF Deny list. 🙂