BusinessPress works with Fail2Ban Linux utility to protect against bruteforce hacking of WordPress login form and XML-RPC.
Requirements
First thing the check is if BusinessPress is able to output bad logins into your Linux operating system SSH logins log file. The file might be:
- /var/log/auth.log
- /var/log/secure
Simply do a bad login attempt and see if your IP address was appended to the file. It should look like this:
Aug 22 08:08:47 web wordpress(your-website.com)[14410]: BusinessPress fail2ban login error – Authentication failure for test from 10.11.12.13
Installation steps
Fail2Ban
Use your Linux distribution package manager to install Fail2Ban. It should be:
sudo apt install fail2banOr
sudo yum install fail2banIf your Fail2Ban comes with /etc/fail2ban/jail.d/00-firewalld.conf then we recommend commenting out each line with # as Firewalld does not seem to work with using DROP instead of REJECT.
Using DROP instead of REJECT is necessary to avoid multiple malicious requests to be sent over the already established TCP connection.
To get that change blocktype = REJECT --reject-with icmp-port-unreachable and blocktype = REJECT --reject-with icmp6-port-unreachable to blocktype = DROP.
This has to be done in different files (some of the might not contain it) as it depends on your OS:
- /etc/fail2ban/action.d/iptables.conf
- /etc/fail2ban/action.d/iptables-common.conf
Then verify the Fail2Ban configuration:
fail2ban-client -dThere should be no errors.
WordPress Login Protection
Copy the Fail2Ban configuration files from BusinessPress to your Fail2Ban configuration:
sudo sh -c 'cd /YOUR-WEBSITE-FOLDER/wp-content/plugins/businesspress/ && cp fail2ban/wordpress.conf /etc/fail2ban/filter.d && cp fail2ban/jail.local /etc/fail2ban/jail.d/wordpress.conf && echo "All done!"'Simply replace /YOUR-WEBSITE-FOLDER in the above command with your actual WordPress path. Then the command should report “All done!”.
Next verify the Fail2Ban configuration:
fail2ban-client -dThere should be no errors. If you get:
2022-08-22 08:04:41,694 fail2ban.jailreader [4923]: WARNING Have not found any log file for wordpress jail
Then edit /etc/fail2ban/jail.d/wordpress.conf and put in the proper logpath for your SSH logins log file. It might be /var/log/secure or /var/log/messages.
Finally you can reload Fail2Ban configuration:
sudo systemctl restart fail2banThen you should be able to see your new WordPress jail:
$ sudo fail2ban-client status
Status
|- Number of jail: 2
`- Jail list: sshd, wordpressNow anytime you do a bad login attempt you should see a line appended in /var/log/fail2ban.log:
$ sudo tail -f /var/log/fail2ban.log
2022-08-22 08:18:38,358 fail2ban.actions [8045]: NOTICE [wordpress] Restore Ban 95.217.144.248
2022-08-22 08:18:43,647 fail2ban.filter [8045]: INFO [wordpress] Found 185.119.81.102 - 2022-08-22 08:18:43
2022-08-22 08:18:53,661 fail2ban.filter [8045]: INFO [wordpress] Found 159.89.207.135 - 2022-08-22 08:18:53
2022-08-22 08:19:08,880 fail2ban.filter [8045]: INFO [wordpress] Found 109.43.114.167 - 2022-08-22 08:19:08
2022-08-22 08:19:20,895 fail2ban.filter [8045]: INFO [wordpress] Found 20.168.24.53 - 2022-08-22 08:19:20
2022-08-22 08:19:20,895 fail2ban.filter [8045]: INFO [wordpress] Found 20.168.24.53 - 2022-08-22 08:19:20
2022-08-22 08:19:22,097 fail2ban.filter [8045]: INFO [wordpress] Found 159.203.121.12 - 2022-08-22 08:19:22
2022-08-22 08:19:49,329 fail2ban.filter [8045]: INFO [wordpress] Found 185.119.81.98 - 2022-08-22 08:19:48
2022-08-22 08:20:19,364 fail2ban.filter [8045]: INFO [wordpress] Found 185.165.42.75 - 2022-08-22 08:20:18
2022-08-22 08:20:35,384 fail2ban.filter [8045]: INFO [wordpress] Found 51.91.220.143 - 2022-08-22 08:20:34
2022-08-22 08:20:50,602 fail2ban.filter [8045]: INFO [wordpress] Found 103.101.162.249 - 2022-08-22 08:20:50
2022-08-22 08:20:54,608 fail2ban.filter [8045]: INFO [wordpress] Found 10.11.12.13 - 2022-08-22 08:20:53…until you do more than 12 attempts (this is set in) and you get banned:
2022-08-22 08:21:50,322 fail2ban.actions [8045]: NOTICE [wordpress] Ban 10.11.12.13Troubleshooting
First thing to do is to check if the Fail2Ban jails are properly stored in iptables:
Then you can check your IP which got banned to ensure the rules are there:
$ sudo iptables -vnL | grep 10.11.12.13
0 0 DROP all -- * * 10.11.12.13 0.0.0.0/0Next Steps
We also recommend blocking the repeated offenders: How to block repeated offenders with BusinessPress
You can use BusinessPress a Web Application Firewall too: How to block malicious web requests with BusinessPress
