Wordpress Fail2Ban Cron Attack Configuration

December 24, 2016 472 views
WordPress Apache Security

Notice that a new kind of attack started to occur on Apache2 Wordpress servers that the default Fail2Ban configuration does not discover.

Attack are aimed towards cron.php
If you in/var/log/apache2/access.log find something like
POST /wp-cron.php?doing_wp_cron=1482585007.5419580936431884765625 HTTP/1.1

Solution / Fix
edit /etc/fail2ban/jail.config and add this at bottom

[cron]
enabled = true
filter = cron
action = iptables[name=cron, port=http, protocol=tcp]
logpath = /var/log/apache2/access.log
bantime = 43600
maxretry = 2

create file /etc/fail2ban/filter.d/cron.conf and add this

[Definition]
failregex = ^<HOST> .*POST .*wp-cron\.php.*
ignoreregex =

Open up SSH and run service fail2ban restart
To check status run tail -f /var/log/fail2ban.log

Extra
XMLRPC attacks are nothing new but i put the config for it here also

edit /etc/fail2ban/jail.config and add this at bottom

[xmlrpc]
enabled = true
filter = xmlrpc
action = iptables[name=xmlrpc, port=http, protocol=tcp]
logpath = /var/log/apache2/access.log
bantime = 43600
maxretry = 2

create file /etc/fail2ban/filter.d/xmlrpc.conf and add

[Definition]
failregex = ^<HOST> .*POST .*xmlrpc\.php.*
ignoreregex =

Restart fail2ban again for settings to be active.

1 Answer
ryanpq MOD December 27, 2016
Accepted Answer

Thanks for sharing this!

Have another answer? Share your knowledge.