AgilisIT

Hey

Ah okay so yeah as others have pointed out, it’s a whole different game at that point.

Viktor’s last link will work really well if you only have one CF account, however if this is for a multi-user site, the solution will not work. The key in what he has though, is making WP failed logins and xmlrpc attacks log to the system log, so fail2ban can pick them up.

What we have with Fail2Ban + Apache + CF is a mod_security rule that blocks the visitors IP, and there is a fail2ban action that triggers the rule. You cannot use iptables as that’s layer 3 and only see’s the CF IP.

Being nginx, I don’t think you can use mod_security, but there’s probably a way to configure an X-Forwarded-For IP blacklist that nginx uses and fail2ban just to append to that list.

Another option would be that you modify wp-fail2ban to also log the users email and API key, and then setup a fail2ban action that reads that token from the log and uses it in action_ban and action_unban. Sort of like the f2b-tarpit-CF-apache-WP-LLA-itsec-LSEC link above.

We’ve been working on a WordPress plugin that does login/xmlrpc syslogging, user-agent and username blocking, along with CF integration, however it’s not quite complete yet. When it is I’ll share the source code here or put it in the WordPress directory. Hopefully we could all start working it and build something really powerful.

Cheers

Hey Damian,

Yeah we would be happy to help you out – want to PM me some more details and I’ll send you some instructions specific to your situation?

eg: operating system and version, use case, server type, etc.

Cheers

Hi,

When I get the CF API working reliably I will, I don’t want to share shoddy code. Haha.

The main bit that’s working well is an action that logs IPS to a file, then a WP filter that prevents PHP execution:

actionban = echo <ip> | awk -F\. '{print ($4)+($3*256)+($2*256*256)+($1*256*256*256) d}' "d=,$(date)" >> /etc/agilis-banned-ips

(storing in int format for speed)

function agilis_login_filter_ips() {
        $handle = fopen("/etc/agilis-banned-ips", "r");

        if($handle) {
                while(($line = fgets($handle)) !== false) {
                        $linearray = explode(',', $line);
                        if(count($linearray) > 0 && ip2long(agilis_get_ip()) == $linearray[0]) {
                                echo '<h2>Banned</h2>';
                                echo '<p><strong>IP:</strong> ' . long2ip($linearray[0]) . '</p>';
                                if(count($linearray) > 1) { echo '<p><strong>Since:</strong> ' . $linearray[1] . '</p>'; }
                                echo '<br/><em>Agilis Login Filter</em>';
                                if(function_exists('http_response_code')) {
                                        http_response_code(503);
                                } else {
                                        header((isset($_SERVER['SERVER_PROTOCOL']) ? $_SERVER['SERVER_PROTOCOL'] : 'HTTP/1.0') . ' 503 Service Unavailable');
                                        $GLOBALS['http_response_code'] = 503;
                                }
                                exit;
                        }
                }
        } else {
                echo 'Error reading file';
        }

        fclose($handle);
}
add_action('login_form_login', 'agilis_login_filter_ips');

Hi,

Fix and fixed – mod_cloudflare makes Apache2 log the real visitor IP. Then we’ve mad a fail2ban action that bans the IP using the CF API since iptables is no longer effective.

Thanks