Contact Menu

WordPress Fail2Ban RegEx for RedHat, CentOS, Amazon Linux

VacantServer WordPress sites are getting hammered with bad logins and probes.

We’ve implemented a plugin to log failed login attempts to syslog, and a Fail2Ban filter for the same. If you run these on RedHat, you’ll need some additional configuration info… here it is:

WordPress login failure regex (error_log):

Apache nohome regex (error_log):

PHP noscript regex (/home/*/logs/error_log,/var/log/httpd/error_log):

XMLRPC flood attacks — DDoS and probing (/home/*/logs/access_log):

Please also enable the generic apache-nohome, apache-noscript. Install wp fail2ban plugin (and configure it for your server) on your high traffic blogs. These all are helping during the current onslaught, which also includes probing for wp-admin directories, probing for /wp-admin/login.php, plus comment spam.

A new XMLRPC exploit has the script kiddies doing DDoS and probing for vulnerable services, and possibly doing remote code execution on vulnerable services.

Here are some additional resources:

No comments yet.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.