Preventing SSH and WordPress Brute Force Breach Attacks with Fail2ban

Connecting to a server via SSH is very secure, but the SSH daemon itself must be exposed to the Internet in order to function properly. This is an easy target for potential attackers. Any service exposed to the network in this way is a potential target for an attacker. If we pay attention to the logs of these services, we often see repeated login attempts, which means that the service has been subjected to a brute force attack, something that WordPress suffers from on a daily basis due to its widespread use.

Linux systems have a program called Fail2ban Fail2ban is a service that analyzes application logs to identify brute-force cracking behavior and then automatically modifies iptables firewall rules to block the attacker's IP address. This process is automated and after configuring the Fail2ban service, we don't need manual intervention. In this article, I will describe how to install and use Fail2ban on a CentOS 7 server.

Installing Fail2ban on CentOS 7

The Fail2ban software is not included in the official CentOS component repository, it is packaged in the EPEL project (EPEL stands for Extra Packages for Enterprise Linux) and we need to enable the EPEl repository first.

sudo yum install epel-release

Now, we should be able to install the Fail2ban package

sudo yum install fail2ban

Once the installation is complete, we need to enable the Fail2ban service using systemctl:

sudo systemctl enable fail2ban

Customizing Fail2ban Settings

The configuration file for Fail2ban is in the/etc/fail2bandirectory. Here we can find a Fail2ban configuration file called jail.conf. This file may be overwritten by package upgrades, so instead of editing it directly, we can write a custom configuration file called the new file jail.local, and any values defined in this file will override the settings in jail.conf.

jail.conf contains the [DEFAULT] configuration, followed by the configuration for each service. jail.local can override any of these values. In addition, the folder /etc/fail2ban/jail.d/ The service-related settings in these files can in turn override the settings in these two files, which are prioritized as follows:

1. /etc/fail2ban/jail.conf
2. /etc/fail2ban/jail.d/*.conf, in alphabetical order
3. /etc/fail2ban/jail.local
4. /etc/fail2ban/jail.d/*.local, in alphabetical order

Any file can contain a [DEFAULT] configuration that is executed first, or it can contain configurations for individual services.

First, let's write a very simple jail.local. Use the vi editor to open a new file:

sudo vi /etc/fail2ban/jail.local

Paste the following:

[DEFAULT]
# Ban hosts for one hour.
bantime = 3600

# Override /etc/fail2ban/jail.d/00-firewalld.conf.
banaction = iptables-multiport

[sshd]
 enabled = true 

The configuration above overrides three settings: setting a new blocking time for all services, setting up blocking with iptables, and enabling sshd blocking. After the changes are made, we need to reboot in order for Fail2ban to take effect:

sudo systemctl restart fail2ban

There should be no output when this command completes.

Fail2ban Other available settings

We may also need to adjust other settings for Fail2bam. Open jail.conf and we will discuss some of the default settings. If you need to change these values, be sure to copy them into the jail.local configuration file to adjust them, rather than modifying them directly in the default file.

sudo vi /etc/fail2ban/jail.conf

All default settings for Jail

First is the [DEFAULT] section.

ignoreip = 127.0.0.1/8

This parameter allows Fail2ban to ignore traffic from certain IPs. Currently, it is configured not to block any traffic from this machine. We can append more IPs (separated by spaces) to ignore other addresses.

bantime = 600

The bantime parameter sets the amount of time in seconds that an IP will be blocked, the default is 600 seconds, which is 10 minutes.

findtime = 600
maxretry = 3

The next two parameters to note are findtime and maxretry, which together determine the conditions under which an IP should be blocked.

The maxretry variable sets the number of attempts an IP can make before it is blocked during findtime. By default, Fail2ban will block IPs that fail to log in 3 times in 10 minutes.

destemail = root@localhost
sendername = Fail2Ban
mta = sendmail

To configure email alerts, we may need to override the destemail, sendername, and mta settings. the destemail parameter sets the email address that will receive the banned message. sendername is the value of the email's “from” field. the mta parameter sets the The mta parameter sets what mail service to use to send the message.

action = $(action_)s

This parameter sets the action to be taken when Fail2ban wants to block an IP. The default action is to configure the firewall to reject traffic from blocking-eligible traffic until the blocking time has elapsed.

Other Jail Settings

After [DEFAULT] are the jail settings for each service, usually including a port and the logpath to monitor. e.g., if we enabled SSH monitoring, the following settings would be in jail.local:

[sshd]

port = ssh
logpath = %(sshd_log)s

In this case, ssh is a predefined variable for a standard SSH port.%(sshd_log)s Use the values defined in the Fail2ban standard configuration (to facilitate porting of jail.conf to different operating systems).

In some monitoring services, it may be necessary to set up a separate filter for determining validation failure rules, with the filter value located in the /etc/fail2ban/filter.d directory, this file contains a regular expression that determines whether lines in the log are eligible for blocking. The WordPress monitoring setup that we'll cover later requires a new filter file.

We can see the available filters by listing the files in that directory:

ls /etc/fail2ban/filter.d

If we see a file related to a service we're using, most of the time that filter rule is straightforward to use, for example, if we're using Nginx, we can add a file to our /etc/fail2ban/jail.local Setting in the file [nginx-http-auth]::

[DEFAULT]
# Ban hosts for one hour.
bantime = 3600

# Override /etc/fail2ban/jail.d/00-firewalld.conf.
banaction = iptables-multiport

[sshd]
enabled = true

[nginx-http-auth]
 enabled = true 

Restart the Fail2ban service:

sudo systemctl restart fail2ban

Viewing Fail2ban Status and Firewall Settings

After setting up Fail2ban, we need to know if Fail2ban is working as expected by starting the fail2ban-client Check the overall service status or the status of individual monitoring services:

sudo fail2ban-client status
sudo fail2ban-client status jail_name

You can also list the rules currently in effect for iptables to see which ip is blocked by Fail2ban:

sudo iptables -L

Preventing Violent WordPress Breaches with Fail2ban

If our WordPress site has access logs set up, we can have Fail2ban monitor the site logs to prevent brute force breaking of WordPress. Any request that keeps sending POST requests to wp-login.php is usually a brute force break. Based on this feature, we can set up the following filter namedwordpress.confPlacement/etc/fail2ban/filter.d/folder.

# WP brute force attacks filter
[Definition]
failregex =. *-. *-. *POST.*/wp-login$
ignoreregex =

Then in the jail.local file, add the following, where logpath is the path to the site's access log.

[wordpress]
enabled = true
filter = wordpress
logpath = /home/wwwlogs/*.log
maxretry = 3
port = http,https

Centos 7 uses firewalld instead of iptables, Fail2ban may not be able to update the iptables rules, in this case, use the following two commands to disable the firewalld firewall and then enable iptables.

systemctl stop firewalld
systemctl mask firewalld

Unblock Bugged IPs

If our own IP address has been blocked by mistake, we can use the following command to unblock it.

fail2ban-client set wordpress unbanip 8.8.8.8

Adding an IP address to the whitelist

If an IP address requires frequent logins, we can add this IP address to the whitelist to avoid the inconvenience of triggering the Fail2ban rule.

fail2ban-client set wordpress addignoreip 8.8.8.8 # Add IP to whitelist
fail2ban-client set wordpress delignoreip 8.8.8.8 # Removing IP from whitelist

With the above settings, the server is protected against most brute-force cracking attacks.WordPress SecurityAnother level up. Even so, we still can't forget the basic rules of security; don't set too simple passwords and keep your passwords carefully to prevent leakage. Security is not only a state of mind, but also a habit. With the habit of paying attention to network security, security will remain.