fail2ban config for Wordpress running in Docker
This environment:
- CentOS 7.x
- WP 5.x
- PHP 7.x
- Fail2ban 0.11.x
WP/PHP running in Docker
In /etc/fail2ban/filter.d/wplogin.conf:
[Definition]
failregex = .*php7:notice.*\[client (<HOST>).*wp-admin.*Password Mismatch
ignoreregex =
Then in the WP home, we want to log errors to SYSLOG. Under
$WP_HOME\plugins we create a directory eg log-auth-errors and create
a file log-auth-errors.php inside there:
$WP_HOME\plugins\log-auth-errors\log-auth-errors.php:
<?php
/*
Plugin Name: Log Auth Errors
Plugin URI: https://rmacd.com/
Description: Plugin to log authentication errors
Version: 1.0
Author: Ronald MacDonald
Author URI: https://rmacd.com/
License: GPLv3
*/
add_action( 'wp_login_failed', 'login_failed' );
function login_failed( $username ) {
error_log("user $username: authentication failure for \"".admin_url()."\": Password Mismatch");
}
?>
Then we can navigate to the WP installation and ‘activate’ the plugin. Authentication errors will be logged to global syslog.
To activate, we add the config to our jail.local:
...[snip]
[wplogin]
enabled = true
port = http,https
banaction = iptables-multiport
filter = wplogin
logpath = /var/log/messages
maxretry = 3
bantime = 12h
#ignoreip = <your_network/cidr>
Once we restart fail2ban we can verify IPs are identified from the log:
# fail2ban-client status wplogin
Status for the jail: wplogin
|- Filter
| |- Currently failed: 7
| |- Total failed: 7
| `- Journal matches:
`- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 1.2.3.4
… and check iptables is adding the entries to the list:
# iptables -L -n
... [snip]
Chain f2b-wplogin (1 references)
target prot opt source destination
REJECT all -- 1.2.3.4 0.0.0.0/0 reject-with icmp-port-unreachable
RETURN all -- 0.0.0.0/0 0.0.0.0/0
NB
Note that on this flavour of CentOS, I also needed to add the following
to my jail.local (YMMV):
[DEFAULT]
banaction = firewallcmd-ipset
backend = systemd