Pages

Back to Homepage / Security / Fail2ban, WordPress and Rackspace Virtual Cloud Servers

Fail2ban, WordPress and Rackspace Virtual Cloud Servers

This guide will walk you through setting up Fail2ban on a Ubuntu Cloud Server and linking it to a Cloud Load Balancer’s Allow/Deny List via the Rackspace API.

Yikes! This post is over a year old!
If you think it deserves a rewrite please get in touch or leave a comment.
— Thanks, Ash.

Context

If you’re interested in hardening your WordPress installation and your infrastructure stack includes a Rackspace Cloud Server behind a Rackspace Cloud Load Balancer, you might find this guide useful.

This guide assumes your web server is a typical Ubuntu installation.

An introduction to Fail2ban

If you’re not already familiar; here’s a brief intro about Fail2ban. It’s a free software tool that comes typically bundled with Ubuntu in the default apt repositories. When configured properly, Fail2ban can be used to protect your servers from brute-force or other automated attacks.

The basic premise is that Fail2ban can monitor common application or service logs for malicious patterns. These patterns can range in complexity from a simple string match like “Error: Permission Denied” or something more complicated involving some clever regex voodoo.

As Fail2ban monitors the log files, it will keep a record of the number of times a certain pattern has been matched. If this number reaches a certain predefined threshold, Fail2ban will “ban” the offending IP address for a predetermined time. You can enable a variety of default patterns, (called “filters”), for commonly installed applications, as well as a number of actions, (“ban” methods).

If you don’t already have Fail2ban installed on your Web server, you can install it easily by running:

sudo apt update
sudo apt install fail2ban

Once the installation is completed, the Fail2ban service will start automatically. You can verify it by checking the status of the service:

sudo systemctl status fail2ban

The output will look like this:

● fail2ban.service - Fail2Ban Service
   Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset:
   Active: active (running) since Sat 2021-06-05 21:05:29 BST; 1s ago
...

You now have Fail2Ban running on your Ubuntu server.

Fail2ban Configuration

For this basic configuration you’ll need to create 4 files. Three of the files are for Fail2ban, and one of the files is a tool called RackBan. RackBan is a little dated (and so is the Rackspace API) but it works and it’s straight forward enough to integrate.

Log in to your Ubuntu web server and run the following command to create the 4 files we’ll need later on. You’ll need to have root permissions.

sudo touch /etc/fail2ban/jail.d/wp.conf \
/etc/fail2ban/filter.d/wordpress.conf \
/etc/fail2ban/action.d/rackspace.conf \
/root/rackban.php

Edit the first file and add the following information

sudo nano /etc/fail2ban/jail.d/wp.conf
[wordpress]
enabled = true
port = http
filter = wordpress
logpath = /var/log/apache2/*access.log
maxretry = 10
findtime = 600
bantime = 1200
banaction = rackspace

the filter and banaction lines refer to additional files we created under the filter.d and action.d directories earlier.

Next we’ll create the banaction. This dictates what action should be taken when the regex match (“filter” defined in the wordpress.conf) is found in the target logpath.

sudo nano /etc/fail2ban/action.d/rackspace.conf
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = php -f /root/rackban.php ban <ip>
actionunban = php -f /root/rackban.php unban <ip>

What we are saying here is when a banaction takes place, execute the /root/rackban.php file with 2 parameters, one is whether it is a ban or an unban event, the second (<ip>) is a special placeholder that will be automatically populated with Fail2ban which is the matched IP address found in the log.

Next we need to define our regex for the Fail2ban filter.

sudo nano /etc/fail2ban/filter.d/wordpress.conf
[Definition]
failregex = <HOST>.*POST.*(wp-login\.php|xmlrpc\.php).* 200

This regex will match any IP address that attempts to send a POST HTTP Request to either wp-login.php or xmlrpc.php. If an invalid login occurs, the web server responds with a 200 OK. If a valid and successful login occurs the web server responds with a 301 Redirect so we can be sure that any 200 statuses are bad or incorrect login attempts.

Naturally, there will be innocent accidental bad logins, such as someone mistyping their username or password. Thankfully we have a grace window for those. In the Fail2ban jail file wp.conf we specify these two lines:

maxretry = 10
findtime = 600

That means that the same IP address has to fail 10 times within 10 minutes for it to be considered a match and the banaction to take place. For bruteforce attempts those 10 times may all occur within a few minutes of each other which means the rule will match sooner than 10 minutes and they will be banned promptly.

Finally the last thing we need to do is to populate the /root/rackban.php file which is the final link between Fail2ban and Rackspace. This is a PHP class that wraps the Cloud Load Balancer API for Rackspace and allows us to add or remove IP addresses to the Load Balancer access control list.

Grab a copy of RackBan from GitHub, and copy the content into /root/rackban.php.

sudo nano /root/rackban.php

There are a couple of variables you will need to change in the PHP file.

// Your Rackspace cloud account ID
private $accountId = "12345678";
    
// Your Rackspace username
private $username = "exampleuser";
    
// Your Rackspace API key
private $apiKey = "kh45kh345k34k345h3k45h";
    
// Your Rackspace load balancer ID
private $loadBalancer = "123456";

In order to find the Load Balancer ID, you need to login to Rackspace Cloud Control Panel and go to Networking > Load Balancers. Select the Load Balancer that your server belongs to, and copy the ID value into the PHP file.

Once this file is done, we now need to check all the syntax and ensure there are no errors.

sudo fail2ban-client reload

If this command executes successfully nothing will be output to your screen. If there are syntax errors you will be informed what the problem is and you will need to fix them before continuing.

Check that the new WordPress jail has been loaded. It should look something like this

sudo fail2ban-client status wordpress
Status for the jail: wordpress
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	0
|  `- File list:	/var/log/apache2/access.log
`- Actions
   |- Currently banned:	0
   |- Total banned:	0
   `- Banned IP list:

To test the connection to Rackspace, you can manually execute a ban with fail2ban.

sudo fail2ban-client set wordpress banip 111.111.111.111

Switch over to Rackspace Cloud Control Panel and look at the Load Balancer’s Access Control list. You should see 111.111.111.111 set to DENY.

If that works successfully, you can now test the unban.

sudo fail2ban-client set wordpress unbanip 111.111.111.111

In a moments time you should see the IP address get removed from the Load Balancer’s Access Control List.

If both of the above commands work then you have successfully completed the setup!

Breadcrumbs

Back to Homepage / Security / Fail2ban, WordPress and Rackspace Virtual Cloud Servers

← Previous post

Next post →