Protecting Apache webservers from WordPress admin login dictionary attacks with fail2ban


A very popular webserver I administer has been getting more attention from the script kiddies, and the Apache access log has been filling up with repeated hits to “POST wp-login.php” as scripts cycle through dictionary attacks. So it was time to invest some time in better security. And fail2ban seemed to be the way to go.

Installation is simple on Ubuntu as it’s supplied as a package:

sudo apt-get update
sudo apt-get install fail2ban

By default under version 0.8.2, only sshd protection is auto enabled. I’ve also enabled the apache-noscript filter included in the package, and so far have just added an additional filter to block the repeated attempts on WordPress admin login. This needs to allow a valid admin login, possibly one or two genuine password mistypes, and the self-referential redirect after login.

/etc/fail2ban/filters.d/apache-wp-login.conf

# Fail2Ban configuration file
#
# Author: Tim Connors
#
# $Revision: 668 $
#

[Definition]

# Option:  failregex
# Notes.:  Regexp to catch Apache dictionary attacks on Wrodpress wp-login
# Values:  TEXT
#
failregex = <HOST>.*] "POST /wp-login.php

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

And added to /etc/fail2ban jail.local (don’t forget to copy jail.conf to jail.local after installation)

[apache-wp-login]

enabled = true
port    = http,https
filter  = apache-wp-login
logpath = /var/log/apache*/*access.log
maxretry = 5
findtime = 120

This seems to work okay, but maybe the timings need a bit of tweaking after testing.

  1. Thanks – that worked a treat…. :)

  2. Fail2ban filter for Wordpress | David Goodwin - pingback on April 17, 2013 at 2:58 pm

Leave a Comment


NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Trackbacks and Pingbacks: