Home / ubuntu / Questions / 1102995
In Process
alebal
Asked: 2018-12-19 19:19:09 +0800 CST

What is the best way to stop attacks at wp-login.php?

  • 772

In the access logs of my server I find thousands of attempts to access wp-login.php, but none of the sites on my server is wordpress...

37.19.108.121 - - [19/Dec/2018:02:31:10 +0000] "GET /wp-login.php HTTP/1.1" 301 525 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
37.19.108.121 - - [19/Dec/2018:02:31:11 +0000] "GET /wp-login.php HTTP/1.1" 403 14611 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
179.189.156.125 - - [19/Dec/2018:02:36:14 +0000] "GET /wp-login.php HTTP/1.1" 301 527 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
179.189.156.125 - - [19/Dec/2018:02:36:15 +0000] "GET /wp-login.php HTTP/1.1" 403 3732 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
58.26.43.39 - - [19/Dec/2018:02:40:04 +0000] "GET /wp-login.php HTTP/1.1" 301 535 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
58.26.43.39 - - [19/Dec/2018:02:40:05 +0000] "GET /wp-login.php HTTP/1.1" 403 3748 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
37.19.108.121 - - [19/Dec/2018:02:40:34 +0000] "GET /wp-login.php HTTP/1.1" 301 535 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
37.19.108.121 - - [19/Dec/2018:02:40:36 +0000] "GET /wp-login.php HTTP/1.1" 403 14663 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
116.199.102.237 - - [19/Dec/2018:02:48:04 +0000] "GET /wp-login.php HTTP/1.1" 301 525 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
116.199.102.237 - - [19/Dec/2018:02:48:04 +0000] "GET /wp-login.php HTTP/1.1" 403 3907 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
201.92.187.24 - - [19/Dec/2018:02:48:32 +0000] "GET /wp-login.php HTTP/1.1" 301 537 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
201.92.187.24 - - [19/Dec/2018:02:48:33 +0000] "GET /wp-login.php HTTP/1.1" 403 16139 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
58.26.43.39 - - [19/Dec/2018:02:52:44 +0000] "GET /wp-login.php HTTP/1.1" 301 533 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
58.26.43.39 - - [19/Dec/2018:02:52:45 +0000] "GET /wp-login.php HTTP/1.1" 403 3565 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
179.215.42.142 - - [19/Dec/2018:03:01:40 +0000] "GET /wp-login.php HTTP/1.1" 301 521 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
179.215.42.142 - - [19/Dec/2018:03:01:41 +0000] "GET /wp-login.php HTTP/1.1" 403 21504 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"

In my htaccess I added this rule:

RewriteCond %{REQUEST_URI} wp-login.php$ [NC]
RewriteRule . - [F,L]

But my server is always overloaded anyway.

I started to add the IPs to UFW, but they are now thousands and every day I find new ones. And probably the IPs will be dynamic and never end...

What is the best way to block these attacks without overloading the server?

I tried Fail2ban, after some online search I created this filter:

 /etc/fail2ban/filter.d/wp-login.conf 
[Definition]
failregex = ^<HOST> .* "POST .*wp-login.php
            ^<HOST> .* "GET .*wp-login.php
            ^<HOST> .* "POST .*xmlrpc.php
ignoreregex =

And added this to jail.local

[wp-login]
enabled   = true
port      = http,https
filter    = wp-login
action = iptables-multiport[name=wp-login, port="http,https", protocol=tcp]
logpath   = /var/log/apache2/access.log
maxretry  = 1
findtime = 600

But at some point was banned my IP... but I never went on wp-login.php, What's wrong? Can someone help me understand and configure fail2ban?

I removed the 3 lines and I left only one

failregex = ^<HOST> .* "GET .*/wp-login.php

seems to work better... I have no idea why, the guides I read say that you can put more rules on different lines...???

ufw

1 Answers

  1. In order to password protect a page with Apache, you need to add a new section to your Apache VirtualHost like the below:

    <DirectoryMatch ^.*/wp-admin/>
    AuthType Basic
    AuthName "Restricted"
    AuthUserFile /etc/apache2/.htpasswd
    Require valid-user
</DirectoryMatch>

    Then set the user and password by running:

    sudo htpasswd -c /etc/apache2/.htpasswd username

    Finally, restart Apache for the changes to take effect:

    sudo service apache2 restart

    then add this code your .htaccess

    # BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /

# require www and https 
# comment out the first two if you do not need www
# comment out all lines for local dev
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [NE,L,R=301]
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [NE,L,R=301]

RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

</IfModule>

# END WordPress


## PROTECT .HTACCESS, ERROR LOGS, WP-CONFIG.PHP AND PHP.INI FILES ##
<FilesMatch "^.*(error_log|wp-config\.php|php.ini|\.[hH][tT][aApP].*)$">
    Order deny,allow
    Deny from all
</FilesMatch>

## PREVENT WORDPRESS DIRECTORY BROWSING ##
    Options All -Indexes

## PROTECT IMPORTANT PHP FILES ##
    RewriteCond %{REQUEST_URI} !^/wp-content/plugins/mu-plugins/
    RewriteRule wp-content/plugins/(.*\.php)$ - [R=404,L]
    RewriteCond %{REQUEST_URI} !^/wp-content/themes/V2/
    RewriteRule wp-content/themes/(.*\.php)$ - [R=404,L]

    # Block the include-only files.
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^wp-admin/includes/ - [F,L]
    RewriteRule !^wp-includes/ - [S=3]
    RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
    RewriteRule ^wp-includes/theme-compat/ - [F,L]
    </IfModule>

## COMPRESS TEXT, HTML, JAVASCRIPT, CSS, XML ##
## BEGIN GZIP ##
    <IfModule mod_deflate.c>
        # The following line is enough for .js and .css .html
        AddOutputFilter DEFLATE js css html
        AddOutputFilterByType DEFLATE text/text text/html text/plain text/xml application/xhtml+xml text/css application/xml application/rss+xml application/atom_xml application/x-javascript application/javascript application/x-httpd-php application/x-httpd-fastphp text/html

        # The following lines are to avoid bugs with some browsers
        BrowserMatch ^Mozilla/4 gzip-only-text/html
        BrowserMatch ^Mozilla/4\.0[678] no-gzip
        BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
    </IfModule>

    # BEGIN EXPIRES
    <IfModule mod_expires.c>
        ExpiresActive On
        ExpiresDefault "access plus 10 days"
        ExpiresByType text/css "access plus 1 week"
        ExpiresByType text/plain "access plus 1 month"
        ExpiresByType image/gif "access plus 1 month"
        ExpiresByType image/png "access plus 1 month"
        ExpiresByType image/jpeg "access plus 1 month"
        ExpiresByType application/x-javascript "access plus 1 month"
        ExpiresByType application/javascript "access plus 1 week"
        ExpiresByType application/x-icon "access plus 1 year"
    </IfModule>

    <IfModule mod_headers.c>
        <FilesMatch "\.(js|css|xml|gz)$">
            Header append Vary Accept-Encoding
        </FilesMatch>
        <FilesMatch "\.(ico|jpe?g|png|gif|swf)$">
            Header set Cache-Control "public"
        </FilesMatch>
        <FilesMatch "\.(css)$">
            Header set Cache-Control "public"
        </FilesMatch>
        <FilesMatch "\.(js)$">
            Header set Cache-Control "private"
        </FilesMatch>
        <FilesMatch "\.(x?html?|php)$">
            Header set Cache-Control "private, must-revalidate"
        </FilesMatch>
    </IfModule>



## END OF HTACCESS
    • 0