Install and configure fail2ban

Fail2ban is a server-based intrusion prevention daemon which prevents brute-force attacks by scanning server log files for authentication errors. When combined with the WP Fail2Ban Redux plugin, it can also detect and block behaviour from unwanted WordPress logins:

WordPress Hard – immediately blocking all IP addresses that match malicious patterns.
WordPress Soft – evaluating all behaviour (ie. user logins) against known patterns and selectively blocking based on repeated attempts.

There are several steps to installing fail2ban:

Table of Contents

Step 1. Install fail2ban on your server
Step 2. Configure fail2ban
Step 3. Install WordPress plugin
Step 4. Install code snippets
Operations

Step 1. Install fail2ban on your server

sudo apt-get install fail2ban -y

Enable and start the fail2ban daemon:

sudo systemctl enable --now fail2ban

Configure the service firewall to allow SSH traffic to your server:

sudo ufw allow ssh

Step 2. Configure fail2ban

Fail2ban depends on a few different files and directories, which are:

fail2ban.conf – the main configuration file
jail.conf – a sample jail configuration
action.d – contains various fail2ban actions configurations for things like mail and firewall
jail.d – contains additional fail2ban jail configurations

You will need to create a new jail.local file for your customised configuration:

sudo touch /etc/fail2ban/jail.local

Open this file with the nano text editor:

sudo nano /etc/fail2ban/jail.local

Edit the file to reflect the following:

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
findtime = 300
bantime = 28800
ignoreip = 127.0.0.1

Restart the fail2ban service to load the new configuration:

sudo systemctl restart fail2ban

Step 3. Install WordPress plugin

There are also two WordPress plugins which may be installed to enable WordPress integration with fail2ban:

WP Fail2Ban Redux by Brandon Allen (recommended)
WP fail2ban – Advanced Security Plugin by Charles Lecklider

Step 4. Install code snippets

Add the following code snippet to functions.php or through the Code Snippets (or Code Snippets Pro) plugin:

wp_fail2ban_redux_block_user_enumeration

// Block user enumeration attempts.
add_filter( 'wp_fail2ban_redux_block_user_enumeration', '__return_true' );

wp_fail2ban_redux_blocked_users

// Block authentication attempts against the 'admin' user.
function my_wp_fail2ban_redux_blocked_users( $usernames ) {
	return array(
		'admin','co','serviceflow', 'serviceflow.co.za', 'serviceflowcoza', 'louis', 'test', 'support', 'demo', 'wordpress', 'testing', 
	);
}
add_filter( 'wp_fail2ban_redux_blocked_users', 'my_wp_fail2ban_redux_blocked_users' );

wp_fail2ban_redux_log_pingbacks

// Log pingback requests.
add_filter( 'wp_fail2ban_redux_log_pingbacks', '__return_true' );

Operations

To stop and start the fail2ban service:

service fail2ban stop
service fail2ban start

To check on which IP addresses have been banned due to SSHD violations:

fail2ban-client status sshd

To check on which IP addresses have been banned due to WordPress-soft violations:

fail2ban-client status wordpress-soft

To unban a specific IP address:

fail2ban-client set sshd unbanip 1.1.1.1
fail2ban-client set wordpress-hard unbanip 1.1.1.1
fail2ban-client set wordpress-soft unbanip 1.1.1.1

To unban all IP addresses:

fail2ban-client unban -all

To drop all jails:

fail2ban-client stop

That’s it, you’re done!