Fail2ban is a server-based intrusion prevention daemon which prevents brute-force attacks by scanning server log files for authentication errors. When combined with the WP Fail2Ban Redux plugin, it can also detect and block behaviour from unwanted WordPress logins:
- WordPress Hard – immediately blocking all IP addresses that match malicious patterns.
- WordPress Soft – evaluating all behaviour (ie. user logins) against known patterns and selectively blocking based on repeated attempts.
There are several steps to installing fail2ban
:
Step 1. Install fail2ban on your server
sudo apt-get install fail2ban -y
Enable and start the fail2ban
daemon:
sudo systemctl enable --now fail2ban
Configure the service firewall to allow SSH traffic to your server:
sudo ufw allow ssh
Step 2. Configure fail2ban
Fail2ban depends on a few different files and directories, which are:
fail2ban.conf
– the main configuration filejail.conf
– a sample jail configurationaction.d
– contains various fail2ban actions configurations for things like mail and firewalljail.d
– contains additional fail2ban jail configurations
You will need to create a new jail.local
file for your customised configuration:
sudo touch /etc/fail2ban/jail.local
Open this file with the nano text editor:
sudo nano /etc/fail2ban/jail.local
Edit the file to reflect the following:
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
findtime = 300
bantime = 28800
ignoreip = 127.0.0.1
Restart the fail2ban
service to load the new configuration:
sudo systemctl restart fail2ban
Step 3. Install WordPress plugin
There are also two WordPress plugins which may be installed to enable WordPress integration with fail2ban
:
- WP Fail2Ban Redux by Brandon Allen (recommended)
- WP fail2ban – Advanced Security Plugin by Charles Lecklider
Step 4. Install code snippets
Add the following code snippet to functions.php
or through the Code Snippets (or Code Snippets Pro) plugin:
wp_fail2ban_redux_block_user_enumeration
// Block user enumeration attempts.
add_filter( 'wp_fail2ban_redux_block_user_enumeration', '__return_true' );
wp_fail2ban_redux_blocked_users
// Block authentication attempts against the 'admin' user.
function my_wp_fail2ban_redux_blocked_users( $usernames ) {
return array(
'admin','co','serviceflow', 'serviceflow.co.za', 'serviceflowcoza', 'louis', 'test', 'support', 'demo', 'wordpress', 'testing',
);
}
add_filter( 'wp_fail2ban_redux_blocked_users', 'my_wp_fail2ban_redux_blocked_users' );
wp_fail2ban_redux_log_pingbacks
// Log pingback requests.
add_filter( 'wp_fail2ban_redux_log_pingbacks', '__return_true' );
Operations
To stop and start the fail2ban
service:
service fail2ban stop
service fail2ban start
To check on which IP addresses have been banned due to SSHD
violations:
fail2ban-client status sshd
To check on which IP addresses have been banned due to WordPress-soft
violations:
fail2ban-client status wordpress-soft
To unban a specific IP address:
fail2ban-client set sshd unbanip 1.1.1.1
fail2ban-client set wordpress-hard unbanip 1.1.1.1
fail2ban-client set wordpress-soft unbanip 1.1.1.1
To unban all IP addresses:
fail2ban-client unban -all
To drop all jails:
fail2ban-client stop
That’s it, you’re done!