Is there a way to set up fail to ban to block on IP that hits wp-login too many times?
I have tried adding this jail.local:
[apache-wp-login]
enabled = true
action = iptables[name=wplogin, port=http, protocol=tcp]
sendmail-whois[name=wplogin, dest=root, sender=fail2ban@example.com]
filter = apache-wp-login
logpath = /var/log/apache2/other_vhosts_access.log
maxretry = 5
And then adding a definition in /etc/fail2ban/filter.d/apache-wp-login.conf:
[Definition]
# Option: failregex
# Notes.: Regexp to catch Apache dictionary attacks on WordPress wp-login
# Values: TEXT
#
failregex = [\w\.\-]+ [\w\.\-]+ .*] "POST /wp-login.php
Still getting wp-login attempts way over the maxentry limit… could this be because I'm using combined log format, instead of common?
Best Answer
I modified my WordPress theme functions.php file to add the following:
add_action('wp_login_failed', 'log_wp_login_fail'); // hook failed login function log_wp_login_fail($username) { error_log("WP login failed for username: $username"); }
Failed login are now written in my error logs.
My apache-wp-config.conf looks like this:
[Definition] failregex = [[]client <HOST>[]] WP login failed.* ignoreregex =
And my jail.local contains the following:
[apache-wp-login] enabled = true filter = apache-wp-login action = iptables-multiport[name=apache-wp-login, port="http,https"] sendmail-whois[name=apache-wp-login, dest=root, sender=fail2ban@example.com] logpath = /home/*/logs/*error.log bantime = 720 maxretry = 6
More info at this site