Install and configure fail2ban

Fail2ban is a server-based intrusion prevention daemon which prevents brute-force attacks by scanning server log files for authentication errors. When combined with the WP Fail2Ban Redux plugin, it can also detect and block behaviour from unwanted WordPress logins:

  • WordPress Hard – immediately blocking all IP addresses that match malicious patterns.
  • WordPress Soft – evaluating all behaviour (ie. user logins) against known patterns and selectively blocking based on repeated attempts.

There are several steps to installing fail2ban:

Step 1. Install fail2ban on your server

sudo apt-get install fail2ban -y

Enable and start the fail2ban daemon:

sudo systemctl enable --now fail2ban

Configure the service firewall to allow SSH traffic to your server:

sudo ufw allow ssh

Step 2. Configure fail2ban

Fail2ban depends on a few different files and directories, which are:

  • fail2ban.conf – the main configuration file
  • jail.conf – a sample jail configuration
  • action.d – contains various fail2ban actions configurations for things like mail and firewall
  • jail.d – contains additional fail2ban jail configurations

You will need to create a new jail.local file for your customised configuration:

sudo touch /etc/fail2ban/jail.local

Open this file with the nano text editor:

sudo nano /etc/fail2ban/jail.local

Edit the file to reflect the following:

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
findtime = 300
bantime = 28800
ignoreip = 127.0.0.1

Restart the fail2ban service to load the new configuration:

sudo systemctl restart fail2ban

Step 3. Install WordPress plugin

There are also two WordPress plugins which may be installed to enable WordPress integration with fail2ban:

Step 4. Install code snippets

Add the following code snippet to functions.php or through the Code Snippets (or Code Snippets Pro) plugin:

wp_fail2ban_redux_block_user_enumeration

// Block user enumeration attempts.
add_filter( 'wp_fail2ban_redux_block_user_enumeration', '__return_true' );

wp_fail2ban_redux_blocked_users

// Block authentication attempts against the 'admin' user.
function my_wp_fail2ban_redux_blocked_users( $usernames ) {
	return array(
		'admin','co','serviceflow', 'serviceflow.co.za', 'serviceflowcoza', 'louis', 'test', 'support', 'demo', 'wordpress', 'testing', 
	);
}
add_filter( 'wp_fail2ban_redux_blocked_users', 'my_wp_fail2ban_redux_blocked_users' );

wp_fail2ban_redux_log_pingbacks

// Log pingback requests.
add_filter( 'wp_fail2ban_redux_log_pingbacks', '__return_true' );

Operations

To stop and start the fail2ban service:

service fail2ban stop
service fail2ban start

To check on which IP addresses have been banned due to SSHD violations:

fail2ban-client status sshd

To check on which IP addresses have been banned due to WordPress-soft violations:

fail2ban-client status wordpress-soft

To unban a specific IP address:

fail2ban-client set sshd unbanip 1.1.1.1
fail2ban-client set wordpress-hard unbanip 1.1.1.1
fail2ban-client set wordpress-soft unbanip 1.1.1.1

To unban all IP addresses:

fail2ban-client unban -all

To drop all jails:

fail2ban-client stop

That’s it, you’re done!