Securing WordPress (or any site) with fail2ban: prevent vuln scanners, flood and bruteforce attack

fail2ban-stopping-scannersHow to secure WordPress using advanced tools like fail2ban.

EDIT

This rules can cut out search engines from your server and they can affects all the sites hosted on the machine you are working on. I’m writing this because at the end it turned out that a better solution to prevent distribuited flooding is to use iptables with custom rules.

Fail2ban is one of my favourite server securing software, because it not only protects against several consequences deriving from being attacked by some script kiddy, but it saves a lot of system resources otherwise wasted serving pages to bots or similar.
I just discovered an annoying and repeated access log entry on my access logs wich leads to a 403/404 (i faked a little tso it makes sense for this article) error page (forbidden) and then i decided to let a specialized software do the job instead of using wordpress plugin, wich ,would act at a php/mysql level having to generate each time server headers, and here again, wasting server resources.

Some of these log entries looked loke this:

Note: i don’t care about this guy privacy, ad if these are zombies, i don’t care anyway.

92.101.209.111 - - [02/Jan/2013:07:25:58 +0000] "GET /browserToolbarGetData?v=2 HTTP/1.1" 403 493 "-" "MailRuSputnik"
92.101.209.111 - - [02/Jan/2013:07:25:59 +0000] "GET /browserToolbarGetData?v=2 HTTP/1.1" 403 493 "-" "MailRuSputnik"
193.201.230.56 - - [02/Jan/2013:07:25:59 +0000] "GET /browserToolbarGetData?v=2 HTTP/1.1" 404 519 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.2) Gecko/20100101 Firefox/10.0.2"
193.201.230.56 - - [02/Jan/2013:07:25:59 +0000] "GET /browserToolbarGetData?v=2 HTTP/1.1" 404 518 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.2) Gecko/20100101 Firefox/10.0.2"
193.201.230.56 - - [02/Jan/2013:07:25:59 +0000] "GET /browserToolbarGetData?v=2 HTTP/1.1" 404 518 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.2) Gecko/20100101 Firefox/10.0.2"
92.101.209.111 - - [02/Jan/2013:07:26:02 +0000] "GET /browserToolbarGetData?v=2 HTTP/1.1" 404 493 "-" "MailRuSputnik"
188.134.36.75 - - [02/Jan/2013:07:26:22 +0000] "GET /browserToolbarGetData?v=2 HTTP/1.1" 404 519 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20100101 Firefox/17.0"

Fine, let’s show this guy some.

I’m using Debian squeeze + ispconfig, but these command should be applied to any linux platform like centos, ubuntu etc.
The simple and always the best solution is to let Fail2ban take care of this task.
Fail2ban works basically matching a regexp into a given log files and applying an action if the wanted matche occurres more than given number of time in a given time window. This is simply done with two configuration files:

  • Filters
  • Local Jail

Filters define the “fail” regexp to match scanning logs while the “jail” defines the parameters for trigger the ban along with the filter name and logs to be scanned (this last parameter accepts wildcard * ex. /var/log/apache*/*access.log).

This case we want for example, to create a filter for handling 404 http responses generators, so let’s create a new file wich will contain our filter:

nano /etc/fail2ban/filter.d/apache-404.conf

this file will contain the following content:

# Fail2Ban configuration file
#
# Author: Giuseppe Urso
#
# $Revision: 728 $
#

[Definition]

failregex = (?P[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) .+ 404 [0-9]+ "
ignoreregex =

As you can see, the “failregexp” contains the regexp of any ip address, and the 403 HTTP response given by apache2.
Now save this file with “CTRL” + “o” then “Enter” and the exit nano with “CTRL” + “x”.

Now open and edit the jail.local file wich will define this new jail as apache-404

nano /etc/fail2ban/jail.local

At the end of this file, let’s add our definitions as follows:

[apache-404]
enabled = true
port = http,https
filter = apache-404
logpath = /var/log/apache2/*access.log
bantime = 3600
findtime = 600
maxretry = 10

It’s clear enough, but i would like you to pay attention to the max retry i set so high: Usually some web server user could mess with wrong directory and/or file names leding to this very error. Since it usually takes some tries to me so i can understand what’s going on, i left this number so high so users will not cut themselves out.

Now save with “CTRL” + “o”, then “Enter” and close nano with “CTRL” + “x”.

Now it’s time to restart fail2ban and see in its log if all is going fine or if there is something wrong.

service fail2ban restart
Restarting authentication failure monitor: fail2ban

The with the following command we will see the last part of the fail2ban log to see how reboot went.

less /var/log/fail2ban.log

Then move to the end of the file typing “SHIFT” + “G”.
You should see something similar to this:

2013-01-02 07:50:44,845 fail2ban.filter : INFO   Added logfile = /var/log/apache2/site.com/access.log
013-01-02 07:50:45,070 fail2ban.jail   : INFO   Jail 'apache-403' started

Should you see a warning regarding one of the log files, it is probably missing (some new website or misconfigured duplicated site), just touch the file with the command

touch /var/log/apache2/missing.log

Then restart fail2ban, look at the log again and fix all these missing log files, if any.
At this point we are ready to see it in action. Let’s wait for some script kiddy who is trying some downloaded au-contrarie wannabe server cracking software. 🙂
We can watch the fail2ban log live typing :

tail -F /var/log/fail2ban.log

Now if someone is trying to buzz our server you should see:

2013-01-02 07:50:50,300 fail2ban.actions: WARNING [apache-404] Ban 91.205.162.2
2013-01-02 07:51:46,399 fail2ban.actions: WARNING [apache-404] Ban 95.153.162.136
2013-01-02 07:52:38,492 fail2ban.actions: WARNING [apache-404] Ban 176.222.154.49
2013-01-02 07:52:58,547 fail2ban.actions: WARNING [apache-404] Ban 2.76.117.247

Job done.
You can repeat these steps for any of the frequent error you see, just think about who will be potentialli cutted away. If you cut yourself out, just restart fail2ban from the console.

p.s. for a better security, remember to take a look also to the file “others_vosts_access.log” in the /var/log/apache2 directory as sometimes, a virtualhost configuration can miss this parameter and then all log etries go into this generic log.
Any comment for improve this post is very appreciated.
Ciao! 

(Visited 4,385 times, 1 visits today)

Author: Giuseppe Urso

Giuseppe lives in Haarlem now with his shiny dog, Filippa In 1982 received his first home computer, a Commodore 64, followed by Datasette and a 1541 Floppy Disk Drive. In 1999 he installed his first Linux distro (LRH6). In 2006 he switched to Debian as favourite OS. Giuseppe Urso actively sustains the Free Software Fundation and his founder Richard Mattew Stallman, he speaks to people trying to convince them to join the fight now, and about how important is to use Free Software only. He has a job as Infra Specialist at Hippo Enterprise Java Cms an Open Source Enterprise class Content Management System, one of the coolest company ever, in Amsterdam. He's always ready to install Debian on other people computers for free.

4 thoughts on “Securing WordPress (or any site) with fail2ban: prevent vuln scanners, flood and bruteforce attack”

  1. 2013-10-02 15:12:33,831 fail2ban.filter : ERROR Unable to compile regular expression ‘(?P[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) .+ 404 [0-9]+ “‘

  2. Between (?P and [0-9] must be HOST in angle brackets (where the asterisks are below). This page disallows the correct version by stripping out what it sees as an HTML tag.

    (?P*HOST*[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) .+ 404 [0-9]+ “

Leave a Reply

Your email address will not be published. Required fields are marked *

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.