I knew it was just a matter of time before the now famous botnet would try to gain access to my WordPress site too and today it tried. It didn’t gain access for three reasons.
- I do not use admin
- I have a strong password
- I use my own WordPress plugin plus Fail2ban
They tried 185 times in the span of 40 minutes.
AVH Log Login
As everybody on the net is saying, do not use the admin user as your administrator user and use a strong password. Well I have been doing this for years but when the news broke of the botnet I decided to add an extra layer of security.
I created a very basic plugin that will log all logins and login attempts to a file.
I use this log file in combination with the Linux program Fail2ban. I set up a filter and updated the jail configuration file and IP’s that tried a number of times to login and files are blocked by the firewall. Correct, I completely block these IP’s from accessing my site.
Here’s what the logfile looks like:
188.8.131.52 ERROR - [2013-05-07 12:14:06] " Login Failed - User: 'admin' Password: 'liverpool' " 184.108.40.206 ERROR - [2013-05-07 12:17:05] " Login Failed - User: 'admin' Password: 'dallas' " 220.127.116.11 ERROR - [2013-05-07 12:22:30] " Login Failed - User: 'admin' Password: 'adidas' " 18.104.22.168 ERROR - [2013-05-07 12:24:47] " Login Failed - User: 'admin' Password: 'scotty' " x.x.x.x INFO - [2013-05-07 12:54:25] " Login Successful - User: '....'
The last line was me logging in.
Fail2ban filter file:
[Definition] failregex = ^<HOST> ERROR.*Login Failed.* ignoreregex =
Fail2ban jail configuration:
[wordpress-login] enabled = true filter = wordpress-login port = http logpath = /var/log/nginx/*app.log maxretry = 2 findtime = 86400 ; 1 day bantime = 86400 ; 1 day
This setup allows any IP two tries within a day to login, and they will be banned for a day if they fail.
I haven’t released the plugin as I haven’t released the plugin yet because I haven’t had time to write an admin section so the logfile location can be modified. Right now it’s hardcoded for my needs.
If there’s a need, let me know in the comments.
The plugin will only work when you have access to the Fail2ban files, usually a dedicated server or VPS. It’s not limited to Fail2ban, there are other program you could use to read the logfile and act upon it.