New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Ban bruteforce attempts
Hi.
I have a vps with nginx + php-fpm + wordpress. /wp-login.php receives about 3 POST requests per second. There are 2 issues I'd like to address: server load, which is ~0.70 instead of usual ~0.10, and user accounts security.
The attack is distributed. Today:
# grep wp-login /var/log/nginx/site.access.log | sort | awk '{print $1}' | uniq | wc -l 917
Yesterday:
# grep wp-login /var/log/nginx/site.access.log.1 | sort | awk '{print $1}' | uniq | wc -l 2159
While only admins are usually logged in.
Any ideas how to ban these requests?
Comments
Not sure how to do it at server level but using reCaptcha seems to keep my login forms safe.
if you're using wordpress you can install this plugin:
http://wordpress.org/plugins/wp-fail2ban/
this will write wordpress login attempts to auth.log, meaning fail2ban will ban the brute forcing ip's. (you need to install fail2ban too ofcourse)
May take a look at that, thanks!
WordPress Bullet Proof Security is good too.
WordPress Bullet Proof Security use .htaccess - nginx problem.
http://wordpress.org/extend/plugins/login-security-solution/
simple http://www.bad-neighborhood.com/login-lockdown.html
description:
Login LockDown records the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Administrators can release locked out IP ranges manually from the panel.
Throw up an htaccess auth user/pw prompt for wp-login.php. Problem solved, you can even use some simple username and password
Most effective and simplest solution to this imho is to set up a plugin that adds an additional login delay for each successive wrong attempt.
I don't use wordpress but I would be surprised if there wasn't a plugin that does this like there is for drupal.
I'm not a big fan of fail2ban. Unless you use it every day the filtering is kind of crude, proprietary and a bit tricky to set up. Filtering quite often get's broken after application updates with no errors generated. So I have found attacks end up no longer blocked without my knowledge. I only use it for ssh and sometimes for a couple other things but that is because I use that every day so I took the time to get the filtering set up the way I need it.
You may also use fail2ban to analyze webserver log.
Normal visit to login page leaves
GET ... 200
Successful login leaves
POST ... 302
Failed login leaves
POST ... 200