You can create your own custom web filter config file, and add the following to
it:
###############
[Init]
badbots = JDatabaseDriverMysql|base64_decode|JSimplepieFactory
[Definition]
failregex = (:80|:443) <HOST> .*(?:<badbots>)
ignoreregex =
#################
Where it says "badbots =" add whatever code that you want that bots are using
to try to break wp.
Also another way to add security your website, is to move all your admin loggins to a different folder that the bots
won't find.
Wayne Sallee
[email protected]
http://www.WayneSallee.com
On 10/25/2018 09:36 PM, Mike wrote:
This is really interesting. I like the way it works. It redirects all instances of Wordpress with the plugin
installed to log auth failures to the auth log.
I'm definitely going to look into this, but one issue I wrestle with a lot is vulnerable plugins (so adding another
plugin is not super exciting). What I'm interested in doing is using wordpress probes in the http log as a way to
identify hosts that are running scripts to search for vulnerabilities and cut them completely off from all services,
not just http.
Does anybody have a framework for something like this?
For example, a call from a host that references some plugin on my site that isn't installed is a dead giveaway that
it's a probe. I want to lock that host for x amount of time out of all services on my server.
At 05:17 AM 10/25/2018, Denis Rasulev wrote:
Hi,
Put this into /etc/fail2ban/filter.d/wordpress.conf :
# Fail2Ban filter for WordPress
[INCLUDES]
before = common.conf
[Definition]
_daemon = (?:wordpress|wp)
failregex = ^%(__prefix_line)sAuthentication attempt for unknown user .*
from <HOST>$
^%(__prefix_line)sBlocked user enumeration attempt from <HOST>$
^%(__prefix_line)sBlocked authentication attempt for .* from
<HOST>$
^%(__prefix_line)sPingback error .* generated from <HOST>$
^%(__prefix_line)sSpam comment \d+ from <HOST>$
^%(__prefix_line)sXML-RPC authentication attempt for unknown user .* from
<HOST>$
^%(__prefix_line)sXML-RPC multicall authentication failure from
<HOST>$
ignoreregex =
# DEV Notes:
# Requires the 'WP fail2ban' plugin:
#
https://wordpress.org/plugins/wp-fail2ban/
#
# Author: Charles Lecklider
For the rest of setup process, please, check this nice article:https://bjornjohansen.no/using-fail2ban-with-wordpress
<https://bjornjohansen.no/using-fail2ban-with-wordpress>
Regards,
Denis
On 24 Oct 2018, at 20:17, Mike <[email protected] <mailto:[email protected]>> wrote:
Does anybody have any examples of sample jail configurations to identify
Wordpress vulnerability probes?
If someone can give me a skeleton, I can work on creating something that IDs malicious attempts to hack into
wordpress. I just need a basic framework.
_______________________________________________
Fail2ban-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
<https://lists.sourceforge.net/lists/listinfo/fail2ban-users>
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
