With the annoying brute force wordpress hack going round, one way to protect your site(s) would be to use fail2ban, with a configuration something like (which I’ve shamelessly lifted from http://blog.somsip.com/2011/12/protecting-apache-webservers-from-wordpress-admin-login-dictionary-attacks/ ).
The below seems to be working, and given it’s relative simplicity it’s obvious how you’d go about changing to protect other POST based scripts from brute force attacks.
As with all fail2ban rules, it’s not going to work if the attacker changes IP often (but from scanning the logs so far, it doesn’t seem to be the case that they are).
Obvious caveats :
- Users who can’t remember their password(s) will get blocked.
- It’s not going to protect you from a distributed attack (multiple IPs) very well
- You may want to perform other counter-measures (like putting Apache http authentication in for URLs matching /wp-login.php)
In /etc/fail2ban/jail.conf :
[apache-wp-login] enabled = true port = http,https filter = apache-wp-login logpath = /var/www/vhosts/*/statistics/logs/access_log maxretry = 5 findtime = 120
And In /etc/fail2ban/filter.d/apache-wp-login.conf :
[Definition] failregex = <HOST> - - .* "POST /wp-login.php HTTP/.*" 200 ignoreregex =
Where a “hacking” access.log entry looks a bit like :
220.127.116.11 - - [02/Feb/2014:12:50:01 +0000] "POST /wp-login.php HTTP/1.0" 200 4344 "-" "-"