Home / server / Questions / 858880
In Process
Basj
Asked: 2017-07-02 07:55:05 +0800 CST

Auto-ban IP from "wp-login.php" attackers

  • 772

When I look at my Apache log other_vhosts_access.log, I see many many attempts, from a few different IP per month like this:

www.example.com:80 91.200.x.x - - [25/Jun/2017:17:20:19 +0200] "POST /wp-login.php HTTP/1.1" 
www.example.com:80 91.200.x.x - - [25/Jun/2017:17:20:19 +0200] "POST /wp-login.php HTTP/1.1" 
www.example.com:80 91.200.x.x - - [25/Jun/2017:17:20:20 +0200] "POST /wp-login.php HTTP/1.1"

It seems to be brute-force attacks.

Is there a simple way to auto-ban (no link with Autobahn) these attackers?

  • If I do it with a Wordpress plugin, the traffic will still go into PHP, wasting resources, etc.

  • If I do it at Apache level, it will surely still waste resource

  • Should I do it at lowest level possible? i.e. IP tables?

Is there a tool that looks for such attackers in other_vhosts_access.log and automatically ban them in iptables?

apache-2.2

1 Answers

  1. I finally just found a solution (I'll see if it works in a few days): fail2ban.

    Let's put this in /etc/fail2ban/jail.conf:

    #
# HTTP servers
#

[apache-wp-login]
enabled = true
port    = http,https
filter  = apache-wp-login
logpath = /var/log/apache2/other*.log
maxretry = 6
findtime = 36000
bantime = 36000

    Then this in /etc/fail2ban/filter.d/apache-wp-login.conf:

    [Definition]
failregex = .*:(80|443) <HOST> .*/wp-login.php.*
ignoreregex =

    Then let's start the service and look at the bans:

    service fail2ban start
tail -f /var/log/fail2ban.log

    Very useful: this can help to debug the filtering regex and see if it works or not:

    fail2ban-regex /var/log/apache2/other_vhosts_access.log /etc/fail2ban/filter.d/apache-wp-login.conf
    • 3