This is really interesting. I like the way it works. It redirects
all instances of Wordpress with the plugin installed to log auth
failures to the auth log.
I'm definitely going to look into this, but one issue I wrestle with
a lot is vulnerable plugins (so adding another plugin is not super
exciting). What I'm interested in doing is using wordpress probes in
the http log as a way to identify hosts that are running scripts to
search for vulnerabilities and cut them completely off from all
services, not just http.
Does anybody have a framework for something like this?
For example, a call from a host that references some plugin on my
site that isn't installed is a dead giveaway that it's a probe. I
want to lock that host for x amount of time out of all services on my server.
At 05:17 AM 10/25/2018, Denis Rasulev wrote:
Hi,
Put this into /etc/fail2ban/filter.d/wordpress.conf :
# Fail2Ban filter for WordPress
[INCLUDES]
before = common.conf
[Definition]
_daemon = (?:wordpress|wp)
failregex = ^%(__prefix_line)sAuthentication attempt for unknown
user .* from <HOST>$
^%(__prefix_line)sBlocked user enumeration attempt from <HOST>$
^%(__prefix_line)sBlocked authentication attempt for .*
from <HOST>$
^%(__prefix_line)sPingback error .* generated from <HOST>$
^%(__prefix_line)sSpam comment \d+ from <HOST>$
^%(__prefix_line)sXML-RPC authentication attempt for
unknown user .* from <HOST>$
^%(__prefix_line)sXML-RPC multicall authentication
failure from <HOST>$
ignoreregex =
# DEV Notes:
# Requires the 'WP fail2ban' plugin:
#
<https://wordpress.org/plugins/wp-fail2ban/>https://wordpress.org/plugins/wp-fail2ban/
#
# Author: Charles Lecklider
For the rest of setup process, please, check this nice
article:<https://bjornjohansen.no/using-fail2ban-with-wordpress>https://bjornjohansen.no/using-fail2ban-with-wordpress
Regards,
Denis
On 24 Oct 2018, at 20:17, Mike <<mailto:[email protected]>[email protected]> wrote:
Does anybody have any examples of sample jail configurations to
identify Wordpress vulnerability probes?
If someone can give me a skeleton, I can work on creating something
that IDs malicious attempts to hack into wordpress. I just need a
basic framework.
_______________________________________________
Fail2ban-users mailing list
<mailto:[email protected]>[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
