Image

Knowledge base → Setting up Fail2Ban to protect against password guessing

[Virtual servers]
Date of publication: 27.01.2023

The Fail2Ban service helps block the IP addresses of bots that guess passwords for your site. Recently, it has often been used to carry out attacks, since a large number of post requests creates a significant load on the web server. In our examples, we will look at blocking IP addresses using the example of the popular CMS - Wordpress, as well as for the ssh service.

1. Install the Fail2Ban service

1.1 Connect the Epel repository

yum install epel-release

then in /etc/yum.repos.d/epel.repo you need to enable it, enabled=1

yum install fail2ban

2. General settings

The Fail2ban service stores its configuration files in the /etc/fail2ban directory. There is a file with default values called jail.conf. Since this file may be overwritten by package updates, we should not use it. Instead, we will write a new file called jail.local. Any values defined in jail.local override the values in jail.conf.

jail.conf contains a [DEFAULT] section, followed by sections for individual services. jail.local can override any of these values. Additionally, the files in /etc/fail2ban/jail.d/ can be used to override the settings in both of these files. The files are applied in the following order:

     /etc/fail2ban/jail.conf
     /etc/fail2ban/jail.d/*.conf, alphabetically
     /etc/fail2ban/jail.local
     /etc/fail2ban/jail.d/*.local, alphabetically

Let's check and add default settings to the /etc/fail2ban/jail.local file

[DEFAULT]

# Ban hosts for one hour:
bantime = 3600

# Override /etc/fail2ban/jail.d/00-firewalld.conf:
banaction = iptables-multiport

[sshd]
enabled = true

Let's restart the service

service fail2ban restart

Let's check the status with the command

fail2ban-client status

3. Wordpress filter

Let's add a filter and a rule (jail) to block IP addresses that accessed the address /wp-login.php (Wordpress admin) more than 10 times from the same IP address within 10 minutes.

3.1 Filter

/etc/fail2ban/filter.d/wordpress.conf

[Definition]

failregex = ^.* "POST .*/wp-login.php([/\?#\\].*)? HTTP/.*" 200
ignoreregex =

Using this filter we will search for IP addresses.

3.2 Add jail

/etc/fail2ban/jail.d/wordpress.conf

[wordpress]

action = iptables-multiport[name="wordpress", port="http,https"]
filter = admin-wordpress
logpath = /var/www/vhosts/system/*/logs/*access*log
/var/log/httpd/*access_log

If you are using another web server, you need to change the filter according to how it generates the log and specify the correct path to the log file (access_log). After making changes, you must restart the service.





No Comments Yet