Today and in the past few days I’ve been often flooded with POST requests that look like this:

103.19.180.119 - - [09/Jul/2015:10:50:02 +0200] "POST /wp-login.php HTTP/1.1" 403 1139
103.19.180.119 - - [09/Jul/2015:10:50:03 +0200] "POST /wp-login.php HTTP/1.1" 403 1139
103.19.180.119 - - [09/Jul/2015:10:50:04 +0200] "POST /wp-login.php HTTP/1.1" 403 1139
103.19.180.119 - - [09/Jul/2015:10:50:04 +0200] "POST /wp-login.php HTTP/1.1" 403 1139
103.19.180.119 - - [09/Jul/2015:10:50:05 +0200] "POST /wp-login.php HTTP/1.1" 403 1139
103.19.180.119 - - [09/Jul/2015:10:50:06 +0200] "POST /wp-login.php HTTP/1.1" 403 1139

To stop these attacks we found we had to install fail2ban with CSF.

The way to perform this is to install fail2ban first using:

rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
yum install fail2ban

Once installed go to:

/etc/fail2ban

Then edit the jail.local file

add the following:

[wp-auth]
enabled = true
filter = wp-auth
action = csf-ip-deny[name=wordpress port="http,https"]
logpath = /etc/httpd/logs/access_log
bantime = 300
maxretry = 3

Once done

Go to /etc/fail2ban/action.d

create a file called csf-ip-deny.conf

and add the following within it:

# CSF / fail2ban integration
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = csf -d <ip> Added by Fail2Ban for <name>
actionunban = csf -dr <ip>

[Init]

name = default

After that go to /etc/fail2ban/filter.d and create a file called wp-auth.conf

add the following within it:

# WordPress brute force auth filter: /etc/fail2ban/filter.d/wp-auth.conf:
#
# Block IPs trying to auth wp wordpress
#
# Matches e.g.
# 134.255.143.49 - - [24/Jun/2015:13:43:31 +0200] "POST /wp-login.php HTTP/1.1" 200 2930
#
[Definition]
failregex = ^<HOST> .* "POST .*wp-login.php HTTP/1.1 403"
ignoreregex =
actionban = csf -d <ip> Added by Fail2Ban for <name>
actionunban = csf -dr <ip>

Once done restart fail2ban

service fail2ban restart

And now you should find it being blocked within CSF Deny list. 🙂