I’ve got a server running a bunch of WordPress sites, and each of these sites refuse logins from IP’s after a number of failed logins. The steps are as follows:
- 3 failed logins from an IP = WP refuses logins from this IP for 10mins (level 1 lockout)
- On the 2nd level 1 lockout, this moves to level 2 upon which the IP is refused for 1hour
Additionally, the WP security plugin writes to a file on the server(Level 3?). This means we can pool data across sites hosted on that server. Now using Fail2Ban we look for 3 level 3 lockouts within 1 month and then ban at server level for 3 months.
However, the WP plugins are still showing repeat new lockouts for these same IP addresses. This means that the perpetrator is still gaining access to sites hosted on this server.
If I look in the server logs I can see that the lockouts are being written to the correct file. I can also see that Fail2Ban and the relevant jail/actions are detecting the repeat IPs/offender(s) and banning them.
Now, if I run the following command:
I get output similar to this(edited for brevity):
Chain INPUT (policy ACCEPT) target prot opt source destination f2b-WordPress tcp -- anywhere anywhere multiport dports http,https f2b-Http-Get-Dos tcp -- anywhere anywhere multiport dports http,https .....
and further down:
Chain f2b-WordPress (1 references) target prot opt source destination REJECT all -- dedic980.hidehost.net anywhere reject-with icmp-port-unreachable REJECT all -- dedic693.hidehost.net anywhere reject-with icmp-port-unreachable RETURN all -- anywhere anywhere
So, I can see that my jail is being triggered, and that the hostname related to the IP’s used are being rejected, but the user is still gaining access to the server on the same IP’s that have been used repeatedly. So, clearly they are still getting access to the sites on the server and are trying to brute force their way into the site admins.
This needs to be stopped, asap.
So, my assumption is that iptables is blocking the hostname and not the IP. Since, this hostname appears to be from a service designed to hide real hostnames I figured this is the cause of the problem ie: iptables is blocking the wrong hostname. But perhaps I’m wrong here… I’d welcome a better solution if that’s the case.
On that basis I’ve edited /etc/fail2ban/jail.conf as follows (i know I should create a local version):
# "usedns" specifies if jails should trust hostnames in logs, # warn when DNS lookups are performed, or ignore all hostnames in logs # # yes: if a hostname is encountered, a DNS lookup will be performed. # warn: if a hostname is encountered, a DNS lookup will be performed, # but it will be logged as a warning. # no: if a hostname is encountered, will not be used for banning, # but it will be logged as info. # usedns = warn usedns = no
Then, I saved everything and restarted the fail2ban service. The logs files suggest that everything is running fine and that the wordpress jail did it’s job and banned the 2 IP’s being used by this particular person.
Another look at
iptables -L however shows that the hostname has been blocked and not the IP’s…..
So, what do I do now?
✓ Extra quality
ExtraProxies brings the best proxy quality for you with our private and reliable proxies
✓ Extra anonymity
Top level of anonymity and 100% safe proxies – this is what you get with every proxy package
✓ Extra speed
1,ooo mb/s proxy servers speed – we are way better than others – just enjoy our proxies!
USA proxy location
We offer premium quality USA private proxies – the most essential proxies you can ever want from USA
Our proxies have TOP level of anonymity + Elite quality, so you are always safe and secure with your proxies
Use your proxies as much as you want – we have no limits for data transfer and bandwidth, unlimited usage!
Superb fast proxy servers with 1,000 mb/s speed – sit back and enjoy your lightning fast private proxies!
99,9% servers uptime
Alive and working proxies all the time – we are taking care of our servers so you can use them without any problems
No usage restrictions
You have freedom to use your proxies with every software, browser or website you want without restrictions
Perfect for SEO
We are 100% friendly with all SEO tasks as well as internet marketing – feel the power with our proxies
Buy more proxies and get better price – we offer various proxy packages with great deals and discounts
We are working 24/7 to bring the best proxy experience for you – we are glad to help and assist you!