Using fail2ban

Over the last few days, I have had the super awesome opportunity to deal with the WordPress XMLRPC attack. Yes, Yes it has been a while since it happened, but apparently I have been pretty lucky to not have been used as a patsy, till now. I started off doing the first things that are necessary usually with any vulnerability, patching wordpress. That was easy enough, but I did notice that I was still being attacked. Cripes… What a boy to do.

Enter fail2ban…..

If you haven’t heard of it, I won’t bore you too much with the details. You can check them out here – http://www.fail2ban.org/wiki/index.php/Main_Page . Basically, it’s a tool that keeps track of logs and looks for particular patterns and then takes action. In my case, I wanted them to block/drop these connections which is basically the default setup.

With the overview out of the way, lets get this party started.
FYI: This is all done for Centos/Fedora based operating systems. You can figure out what the differences are if you are one of those people that use Ubuntu.

Install the fail2ban package:

sudo yum install fail2ban

Well that was easy, now it’s time to configure it. The configuration files for fail2ban are kept in the configuration directory under the jail.local file. Start off by editing the jail.local file.

sudo vi /etc/fail2ban/jail.local

We are going to get straight to the point and configure this just for xmlrpc. Digging into the directories you will see that there are lots of already configured filters, to make fail2ban start up very easy to do. Add the following information to the configuration file:

[xmlrpc]
enabled = true
filter = xmlrpc
action = iptables[name=xmlrpc, port=http, protocol=tcp]
logpath = /var/log/httpd/access_log
bantime = 43600
maxretry = 2

This will look at the access_log using the xmlrpc filter to ban a user for 43,600 seconds using iptables.

The final configuration piece is to add the actual filter part that will do the heavy lifting. Create the following file with the following data:

/etc/fail2ban/filter.d/xmlrpc.conf

Add the following lines to the xmlrpc.conf file:

[Definition]
failregex = ^<HOST> .*POST .*xmlrpc\.php.*
ignoreregex =

Save the file and time to start up the process.

sudo systemctl restart fail2ban

Excellent!! It is now running. If you want to check the status of fail2ban to see if it picked anything up, use the status command.

 sudo fail2ban-client status xmlrpc

That will show you output that looks like this:

[root@server log]# fail2ban-client status xmlrpc
Status for the jail: xmlrpc
|- Filter
|  |- Currently failed: 0
|  |- Total failed: 463
|  `- File list:    /var/log/httpd/access_log
`- Actions
   |- Currently banned: 1
   |- Total banned: 1
   `- Banned IP list:   185.106.92.245

You can see that I have one troublemaker that needed to be banned. The tool will continue to check over and over again to make sure that the ban still applies and if not remove the ban and if it needs to stay then add it back.

Have fun fail2ban things!