Question
I've been flooded with POST requests at /wp-login.php
Today and in the past few days I’ve been often flooded with POST requests that look like this:
181.165.120.195 - - [02/Sep/2014:18:36:17 +0200] "POST /wp-login.php HTTP/1.0" 302 0 "-" "-"
181.165.120.195 - - [02/Sep/2014:18:36:19 +0200] "POST /wp-login.php HTTP/1.0" 302 0 "-" "-"
181.165.120.195 - - [02/Sep/2014:18:36:32 +0200] "POST /wp-login.php HTTP/1.0" 302 0 "-" "-"
181.165.120.195 - - [02/Sep/2014:18:36:33 +0200] "POST /wp-login.php HTTP/1.0" 302 0 "-" "-"
181.165.120.195 - - [02/Sep/2014:18:36:34 +0200] "POST /wp-login.php HTTP/1.0" 302 0 "-" "-"
These kind of requests uses significant resources on my server, and the PHP process is constantly using CPU cycles.
I’ve tried manually banning the IP address, but I had no luck. I’ve tried using the ngx_http_limit_req_module
, but again no luck. I’ve found a tutorial on how to set-up a fail2ban filter to catch these kind of reqeusts from the access logs, but again no luck.
Today this IP flooded me with over 50.000 reqs and I needed to shut down the server for half an hour so it can stop.
Is there any proper automatic way to set up so the server can detect and block IP adresses that flood the server with requests like these? I don’t want to use wordpress plugins or anything like that, since I have a couple of sites installed and I don’t want to install security plugins to each of them.
Here’s the fail2ban filter I have added:
[Definition]
failregex = ^<HOST> .* "POST /wp-login.php
ignoreregex =
And here’s the rule implemented in jail.local
[wp-auth]
enabled = true
filter = wp-auth
action = iptables-multiport[name=NoAuthFailures, port="http,https"]
maxretry = 2
But I had no luck with this.
Any suggestions?
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
×
Password protect wp-login.php. See guide below for your existing environment.
https://www.digitalocean.com/community/tutorials/how-to-set-up-http-authentication-with-nginx-on-ubuntu-12-10
Or install a similar plugin as below to protect wp-login.php/wp-admin dir
http://wordpress.org/plugins/stealth-login-page/
Cheers,
Gio
ps: I use csf firewall for easy setup, blocking and detection of such similar abuse.