Amanda Orendorff

Amanda Orendorff

I’m a DevOps Automation Nerd

2 minute read

Additional Fail2Ban Actions to Stop Attacks on Nginx and WordPress

Fail2ban can be configured to take various actions to block malicious traffic and prevent attacks on Nginx and WordPress.

Here are some additional actions that you can consider configuring in your fail2ban setup:

Nginx Bad Bot Blocking

You can configure fail2ban to block bad bots that are scanning your Nginx server. To do this, add the following lines to your jail.local file:

1
2
3
4
5
6
7

[nginx-badbots]
enabled = true
port = http,https
filter = nginx-badbots
logpath = /var/log/nginx/access.log
maxretry = 3
banaction = iptables-multiport

Then create the filter file /etc/fail2ban/filter.d/nginx-badbots.conf with the following content:

1
2
3

[Definition]
failregex = ^<HOST>.*"GET.*\.(txt|html|php|asp|aspx|jsp|py).*HTTP.*" 4\d{2}
ignoreregex =

This configuration will block IP addresses that make four or more requests for certain file types within a specified time frame.

Nginx HTTP Flood Protection

You can configure fail2ban to block IP addresses that make too many requests within a specified time frame.

To do this, add the following lines to your jail.local file:

1
2
3
4
5
6
7
8
9

[nginx-http-flood]
enabled = true
port = http,https
filter = nginx-http-flood
logpath = /var/log/nginx/access.log
maxretry = 100
findtime = 10
bantime = 600
action = iptables[name=HTTP, port=http, protocol=tcp]

Then create the filter file /etc/fail2ban/filter.d/nginx-http-flood.conf with the following content:

1
2
3

[Definition]
failregex = ^<HOST>.*"(GET|POST).*HTTP.*" 4\d{2}
ignoreregex =

This configuration will block IP addresses that make 100 or more requests within a 10-second window.

WordPress Brute-Force Protection

You can configure fail2ban to block IP addresses that make too many failed login attempts to WordPress.

To do this, add the following lines to your jail.local file:

1
2
3
4
5
6
7
8
9

[wordpress]
enabled = true
port = http,https
filter = wordpress
logpath = /var/log/nginx/access.log
maxretry = 5
findtime = 300
bantime = 1800
action = iptables[name=HTTP, port=http, protocol=tcp]

Then create the filter file /etc/fail2ban/filter.d/wordpress.conf with the following content:

1
2
3

[Definition]
failregex = ^<HOST>.*POST.*wp-login.php.*
ignoreregex =

This configuration will block IP addresses that make five or more failed login attempts within a five-minute window.

These are just a few examples of additional fail2ban actions you can configure to protect your Nginx and WordPress installations. Depending on your specific setup, you may need to modify these configurations to suit your needs. Additionally, it’s always a good idea to review your logs regularly and adjust your fail2ban configuration as needed to improve your system’s security.

Comments

You May Also Enjoy

Building Google Docs Extension

5 minute read

Here is a step by step example for building a Google Doc Extension that will convert a well formatted Google Docs to Markdown format, using just a bit of Jav...