From 1f567259a25c1fe0f2ef18caf39b5f55e14492f1 Mon Sep 17 00:00:00 2001 From: Matthew Saunders Brown Date: Wed, 16 Nov 2022 14:25:10 -0800 Subject: [PATCH] add fail2ban configs --- etc/fail2ban/filter.d/wp-auth.conf | 10 ++++++++ etc/fail2ban/filter.d/xmlrpc.conf | 12 ++++++++++ etc/fail2ban/jail.d/wp-auth.conf | 8 +++++++ etc/fail2ban/jail.d/xmlrpc.conf | 8 +++++++ install.sh | 11 +++++++++ update.sh | 38 ++++++++++++++++++++++++++++++ 6 files changed, 87 insertions(+) create mode 100644 etc/fail2ban/filter.d/wp-auth.conf create mode 100644 etc/fail2ban/filter.d/xmlrpc.conf create mode 100644 etc/fail2ban/jail.d/wp-auth.conf create mode 100644 etc/fail2ban/jail.d/xmlrpc.conf diff --git a/etc/fail2ban/filter.d/wp-auth.conf b/etc/fail2ban/filter.d/wp-auth.conf new file mode 100644 index 0000000..fa1b763 --- /dev/null +++ b/etc/fail2ban/filter.d/wp-auth.conf @@ -0,0 +1,10 @@ +# WordPress brute force auth filter: /etc/fail2ban/filter.d/wp-auth.conf: +# +# Block IPs trying to auth wp wordpress +# +# Matches e.g. +# exampledomain.com 12.34.33.22 - [07/Jun/2014:11:15:29] "POST /wp-login.php HTTP/1.0" 200 4523 +# +[Definition] +failregex = [\w\.\-]+ [\w\.\-]+ [\w\.\-]+ .*] "POST .*/wp-login.php +ignoreregex = diff --git a/etc/fail2ban/filter.d/xmlrpc.conf b/etc/fail2ban/filter.d/xmlrpc.conf new file mode 100644 index 0000000..0ac3fad --- /dev/null +++ b/etc/fail2ban/filter.d/xmlrpc.conf @@ -0,0 +1,12 @@ +# WordPress xrmlrpc.php abuse +# +# Block IPs pounding xrmlrpc.php +# +# Matches e.g. +# example.com:80 51.141.3.7 - - [05/Oct/2020:15:13:57 -0700] "POST /xmlrpc.php HTTP/1.1" 200 650 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" +# example.com:80 51.141.3.7 - - [05/Oct/2020:15:13:57 -0700] "POST //xmlrpc.php HTTP/1.1" 200 650 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36" +# +[Definition] +failregex = [\w\.\-]+ [\w\.\-]+ [\w\.\-]+ .*] "POST /xmlrpc.php + [\w\.\-]+ [\w\.\-]+ [\w\.\-]+ .*] "POST //xmlrpc.php +ignoreregex = diff --git a/etc/fail2ban/jail.d/wp-auth.conf b/etc/fail2ban/jail.d/wp-auth.conf new file mode 100644 index 0000000..73e41dc --- /dev/null +++ b/etc/fail2ban/jail.d/wp-auth.conf @@ -0,0 +1,8 @@ +[wp-auth] +enabled = true +port = http,https +filter = wp-auth +logpath = /var/log/apache2/access.log tail +bantime = 900 +findtime = 300 +maxretry = 10 diff --git a/etc/fail2ban/jail.d/xmlrpc.conf b/etc/fail2ban/jail.d/xmlrpc.conf new file mode 100644 index 0000000..a22150e --- /dev/null +++ b/etc/fail2ban/jail.d/xmlrpc.conf @@ -0,0 +1,8 @@ +[xmlrpc] +enabled = true +port = http,https +filter = xmlrpc +logpath = /var/log/apache2/access.log tail +bantime = 86400 +findtime = 60 +maxretry = 3 diff --git a/install.sh b/install.sh index 61bba2c..12c582a 100755 --- a/install.sh +++ b/install.sh @@ -33,3 +33,14 @@ cp usr/local/lib/systemd/system/wp-cron.* /usr/local/lib/systemd/system/ chmod 644 /usr/local/lib/systemd/system/wp-cron.* systemctl enable wp-cron.timer systemctl start wp-cron.timer + +# fail2ban wordpress configs +if [[ -d /etc/fail2ban/ ]]; then + chmod 644 etc/fail2ban/filter.d/ + cp -a etc/fail2ban/filter.d/* /etc/fail2ban/filter.d/ + chmod 644 etc/fail2ban/jail.d/ + cp -a etc/fail2ban/jail.d/* /etc/fail2ban/jail.d/ + systemctl restart fail2ban +else + echo "Fail2ban not installed, skipping fail2ban wordpress configs." +fi diff --git a/update.sh b/update.sh index 711b4db..6fa80de 100755 --- a/update.sh +++ b/update.sh @@ -59,3 +59,41 @@ if ! diff -q usr/local/lib/systemd/system/wp-cron.timer /usr/local/lib/systemd/s echo "wp-cron.timer updated" echo fi + +# check fail2ban wordpress configs +if [[ -d /etc/fail2ban/ ]]; then + RESTARTF2B=false + if ! diff -q etc/fail2ban/filter.d/wp-auth.conf /etc/fail2ban/filter.d/wp-auth.conf ; then + cp etc/fail2ban/filter.d/wp-auth.conf /etc/fail2ban/filter.d/wp-auth.conf + chmod 644 /etc/fail2ban/filter.d/wp-auth.conf + echo "fail2ban/filter.d/wp-auth.conf updated" + echo + RESTARTF2B=true + fi + if ! diff -q etc/fail2ban/filter.d/xmlrpc.conf /etc/fail2ban/filter.d/xmlrpc.conf ; then + cp etc/fail2ban/filter.d/xmlrpc.conf /etc/fail2ban/filter.d/xmlrpc.conf + chmod 644 /etc/fail2ban/filter.d/xmlrpc.conf + echo "fail2ban/filter.d/xmlrpc.conf updated" + echo + RESTARTF2B=true + fi + if ! diff -q etc/fail2ban/jail.d/wp-auth.conf /etc/fail2ban/jail.d/wp-auth.conf ; then + cp etc/fail2ban/jail.d/wp-auth.conf /etc/fail2ban/jail.d/wp-auth.conf + chmod 644 /etc/fail2ban/jail.d/wp-auth.conf + echo "fail2ban/jail.d/wp-auth.conf updated" + echo + RESTARTF2B=true + fi + if ! diff -q etc/fail2ban/jail.d/xmlrpc.conf /etc/fail2ban/jail.d/xmlrpc.conf ; then + cp etc/fail2ban/jail.d/xmlrpc.conf /etc/fail2ban/jail.d/xmlrpc.conf + chmod 644 /etc/fail2ban/jail.d/xmlrpc.conf + echo "fail2ban/jail.d/xmlrpc.conf updated" + echo + RESTARTF2B=true + fi + if [[ $RESTARTF2B = true ]]; then + systemctl restart fail2ban + fi +else + echo "Fail2ban not installed, skipping fail2ban wordpress configs." +fi