In a previous article we did an install of Fail2ban on a FreeBSD server. This tool can help us to protect our WordPress install, independatly from if we are using the FAMP stack or the LAMP stack. As I mentioned on that article Fail2ban is a complementary tool to our firewall. It works by scanning log files and banning IPs suspicious activity reflected on those very logs. If this is the first contact you have with the tool I encourage you to read that article so you get the whole idea.
On that occasion we protected SSH connections. Now we will use Fail2ban with WordPress so we will protect at least https connections. If we are still using plain http we can do that too, but if you are login into systems withouth any encryption you will easily get in trouble some time down the road if you haven’t had any already. Here there’s a guide for you if you haven’t enabled that on your WordPress site yet provided you have already done that on your web server!.
If you have already installed Fail2ban in your system the following procedure will be familiar to you. But do not worry if you haven’t, I have written it for first timers too. I happen to use FreeBSD a lot so I will use the tools in this system. UNIX-like systems do not differ much between them. So when looking for a package we use the pkg tool, instead of the apt from Ubuntu, the zypper on or the yum in CentOS. Configuration paths are a bit different though. On Linux everything falls into the /etc directory. For us that is only for system files, applications such as Apache or Fail2ban go to /usr/local/etc. That’s it.
So we get into our system.
Politburo@CCCP:~ % uname -a
FreeBSD CCCP 11.2-RELEASE-p2 FreeBSD 11.2-RELEASE-p2 #0: Tue Aug 14 21:45:40 UTC 2018 root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64
Politburo@CCCP:~ %
We look for the Fail2ban package.
Politburo@CCCP:~ % pkg search fail2ban
py27-fail2ban-0.10.1_1 Scans log files and bans IP that makes too many password failures
py36-fail2ban-0.10.1_1 Scans log files and bans IP that makes too many password failures
Politburo@CCCP:~ %
I do the install for the package using Python3.
Politburo@CCCP:~ % sudo pkg install py36-fail2ban-0.10.3.1_1
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 4 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
py36-fail2ban: 0.10.3.1_1
python36: 3.6.6_1
py36-setuptools: 40.0.0
py36-sqlite3: 3.6.6_7
Number of packages to be installed: 4
The process will require 108 MiB more space.
16 MiB to be downloaded.
Proceed with this action? [y/N]: y
.......
some amount of output
Politburo@CCCP:~ %
On FreeBSD we chan choose between two packages. I’ve chosen the one running with Python3. This may not be the case with other distros, where there may be only one option. Both work the same, so no worries.
Fail2ban allows you to protect services giving those one configuration file inside the jail.d directory. Do not get confused with FreeBSD jails, that’s another story not related to this. Placing this files in the jail.d directory you can set different services and different policies for each. We will now create that file into that directory in order to use Fail2ban with WordPress.
Politburo@CCCP:~ % sudo vi /usr/local/etc/fail2ban/jail.d/wordpress-auth.conf
Inside this file we’ll put the following rules:
[wordpress]
enabled = true
port = http,https
filter = wordpress
action = ipfw[name=wordpress, port="http,https", protocol=tcp]
logpath = /var/log/yourlogfile_log
maxretry = 3
findtime = 10800
bantime = 86400
Notice the action rule, where you need to call out the firewall you are using. On Linux you would be calling iptables, but on FreeBSD you may be using ipfw like in this case, the great pf or even ipfilter since in FreeBSD you can choose among three different firewalls.
Next step. Fail2ban incorporates a directory where it has some configuration files already in place. However WordPress is not present, so we will create that file with very simple instructions.
Politburo@CCCP:~ % sudo vi /usr/local/etc/fail2ban/filter.d/wordpress.conf
Put these rules in:
[Definition]
failregex = <HOST>.*] "POST /wp-login.php
Now. Since we are in FreeBSD land we have to make the service run and make it permanent. So we will issue the following command (Linux users don’t do this!).
Politburo@CCCP:~ % sudo sysrc fail2ban_enable="YES"
fail2ban_enable: -> YES
Politburo@CCCP:~ %
Linux users may have only to restart fail2ban by typing something similar to:
sudo service fail2ban restart
If your distro happens to use Systemd it may be something similar to:
sudo systemctl restart fail2ban
Now if you want to check Fail2ban in action try to log in to your WordPress more than 3 times. On the fourth attempt you should receive a denial and a timeout. If you want it to be a short ban time, let’s say for the next 15 minutes, the figure to place in the bantime rule should be 900 seconds. Enjoy your waiting.
You can also use the fail2ban client program to check the bans in your system by typing this command:
sudo fail2ban-client status wordpress
So this is all in this how to use Fail2ban with WordPress guide. I hope it’s been useful for you and you have a safer site now.