Using Fail2ban to Protect SSH and WordPress from Brute-Force Attacks

ByAmos Lee

Connecting to a server via SSH is very secure, but the SSH daemon itself must be exposed to the Internet in order to function properly. This easily succeeds the target of a potential attacker. Any service exposed to the network in this way is a potential target for attackers. If we pay attention to the logs of these services, we will often see repeated login attempts, which means that the service has suffered a brute force attack. WordPress suffers from such attacks every day due to its widespread use.

In the Linux system, there is a program calledFail2banThe service can identify brute-force cracking behavior by analyzing application logs, and then automatically modify iptables firewall rules to block the attacker’s IP address. This process is automatic. After configuring the Fail2ban service, we do not need manual intervention. In this article, I will explain how to install and use Fail2ban on a CentOS 7 server.

Install Fail2ban on CentOS 7

The Fail2ban software is not included in the official CentOS component library. It is packaged in the EPEL project (EPEL stands for Extra Enterprise Linux Software Package). We need to enable the EPEl repository first.

sudo yum install epel-release

Now, we should be able to install the Fail2ban package

sudo yum install fail2ban

After the installation is complete, we need to use systemctl to enable the Fail2ban service:

sudo systemctl enable fail2ban

Customize Fail2ban settings

The configuration file for Fail2ban is at/etc/fail2banTable of contents. Here we can find a Fail2ban configuration file called jail.conf. This file may be overwritten by package upgrades, so we should not edit it directly, we can write a custom configuration file called jail.local and any values ​​defined in this file will override the settings in jail.conf.

jail.conf contains the [DEFAULT] configuration, followed by the configuration of each service. jail.local can override any of these values. Also, the folder/etc/fail2ban/jail.d/The service-related settings in can override the settings in these two files. The priorities of these files are as follows:

  1. /etc/fail2ban/jail.conf
  2. /etc/fail2ban/jail.d/*.conf, in alphabetical order
  3. /etc/fail2ban/jail.local
  4. /etc/fail2ban/jail.d/*.local, in alphabetical order

Any file can contain a [DEFAULT] configuration, which is executed first, or it can contain configurations for individual services.

First, let’s write a very simple jail.local. Open a new file using the vi editor:

sudo vi /etc/fail2ban/jail.local

Paste the following:

[DEFAULT]
# Ban hosts for one hour:
bantime = 3600

# Override /etc/fail2ban/jail.d/00-firewalld.conf:
banaction = iptables-multiport

[sshd]
 enabled = true

The above configuration covers three settings: setting a new blocking time for all services, setting up iptables for blocking operations, and enabling sshd blocking. After the modification is completed, we need to restart to make Fail2ban take effect:

sudo systemctl restart fail2ban

There should be no output when the command completes.

Fail2ban Other available settings

We may also need to adjust other settings of Fail2bam. Open jail.conf and we’ll discuss some default settings. If you need to change these values, be sure to copy them to the jail.local configuration file and adjust them instead of modifying them directly in the default file.

sudo vi /etc/fail2ban/jail.conf

All default settings for Jail

First is the [DEFAULT] section.

ignoreip = 127.0.0.1/8

This parameter allows Fail2ban to ignore traffic from certain IPs. Currently, it is configured not to block any traffic from this machine. We can append more IPs (separated by spaces) to ignore other addresses.

bantime = 600

The bantime parameter sets the time for which an IP is blocked, in seconds. The default is 600 seconds, which is 10 minutes.

findtime = 600
maxretry = 3

The next two parameters to note are findtime and maxretry. These two parameters together determine the conditions under which an IP should be blocked.

The maxretry variable sets the number of times an IP can be tried before being blocked within findtime. By default, Fail2ban will ban IPs that fail to log in 3 times within 10 minutes.

destemail = root@localhost
sendername = Fail2Ban
mta = sendmail

If we want to configure email alerts, we may need to override the destemail, sendername and mta settings. The destemail parameter sets the email address to which suppressed messages will be sent. sendername is the value of the “sender” field of the email. The mta parameter sets what email service is used to send emails.

action = $(action_)s

This parameter sets the action Fail2ban takes when it wants to block an IP. The default action is to configure the firewall to deny traffic from traffic that meets the blocking criteria until the blocking time has elapsed.

Other Jail settings

After [DEFAULT], there are jail settings for each service, which usually include a port and the log path that needs to be monitored. For example, if we enable SSH monitoring, there will be the following settings in jail.local:

[sshd]

port = ssh
logpath = %(sshd_log)s

In this case, ssh is a predefined variable for the standard SSH port,%(sshd_log)s Use the value defined in the Fail2ban standard configuration (to make jail.conf portable across different operating systems).

In some monitoring services, you may need to set a separate filter to determine the rules for failed verification. The filter value is located in/etc/fail2ban/filter.dDirectory, this file contains a regular expression used to determine whether lines in the log meet the masking criteria. The WordPress monitoring settings that will be introduced later require the creation of a new filter file.

We can see the available filters by listing the files in that directory:

ls /etc/fail2ban/filter.d

If we see a file related to the service we are using, most of the time the filter rule can be used directly, for example, we are using Nginx, we can in our/etc/fail2ban/jail.localSet in file[nginx-http-auth]

[DEFAULT]
# Ban hosts for one hour:
bantime = 3600

# Override /etc/fail2ban/jail.d/00-firewalld.conf:
banaction = iptables-multiport

[sshd]
enabled = true 

[nginx-http-auth]
 enabled = true

Restart the Fail2ban service:

sudo systemctl restart fail2ban

View Fail2ban status and firewall settings

After setting up Fail2ban, we need to know whether Fail2ban is working as expected by startingfail2ban-clientCheck the overall service status or the status of individual monitored services:

sudo fail2ban-client status
sudo fail2ban-client status jail_name

You can also list the rules currently in effect for iptables to view the IPs blocked by Fail2ban:

sudo iptables -L

Use Fail2ban to Prevent WordPress Brute Force Attacks

If our WordPress site has access logs set up, we can let Fail2ban monitor the website logs to prevent WordPress brute force cracking. Any request that continuously sends POST requests to wp-login.php is generally a brute force cracking behavior. According to this feature, we can set the following filter, namedwordpress.conf, put/etc/fail2ban/filter.d/folder.

# WP brute force attacks filter
[Definition]
failregex =.*-.*-.*POST.*/wp-login$
ignoreregex =

Then add the following content to the jail.local file, where logpath is the access log path of the website.

[wordpress]
enabled = true
filter = wordpress
logpath = /home/wwwlogs/*.log
maxretry = 3
port = http,https

Centos 7 uses firewalld instead of iptables. Fail2ban may not be able to update iptables rules. In this case, use the following two commands to disable the firewalld firewall, and then enable iptables.

systemctl stop firewalld
systemctl mask firewalld

Unblock an IP that was killed by mistake

If our own IP address is blocked by mistake, we can use the following command to unblock it.

fail2ban-client set wordpress unbanip 8.8.8.8

Add IP address to whitelist

If an IP address requires frequent logins, we can add this IP address to the whitelist to avoid triggering the Fail2ban rule and causing inconvenience.

fail2ban-client set wordpress addignoreip 8.8.8.8 # 添加 IP 到白名单
fail2ban-client set wordpress delignoreip 8.8.8.8 # 从白名单中删除 IP

Through the above settings, the server can prevent most brute force attacks.WordPress securityIt’s gone to another level. Even so, we still cannot forget the basic rules of security, do not set passwords that are too simple, and save your passwords carefully to prevent leaks. Security is not only a state, but also a habit. If you develop the habit of paying attention to network security, your security will always be maintained.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *