Networking

Unix and Linux network configuration. Multiple network interfaces. Bridged NICs. High-availability network configurations.

Applications

Reviews of latest Unix and Linux software. Helpful tips for application support admins. Automating application support.

Data

Disk partitioning, filesystems, directories, and files. Volume management, logical volumes, HA filesystems. Backups and disaster recovery.

Monitoring

Distributed server monitoring. Server performance and capacity planning. Monitoring applications, network status and user activity.

Commands & Shells

Cool Unix shell commands and options. Command-line tools and application. Things every Unix sysadmin needs to know.

Home » Apache, Featured

Block WordPress Attackers With IPTables

Submitted by on September 23, 2014 – 3:56 pm

After installing LogStash, I noticed server load went from around 1.2 to 50+. This was cause by a brute-force attack against WordPress wp-login.php from some IP in France (of all places). While LogStash should not be exposed to the outside, still, something in the code advertised the server’s IP to the attackers. So, just, beware.

When checking /var/log/httpd/${domain}/access_log, you may notice multiple entries along the lines of:

46.105.113.8 – – [22/Sep/2014:19:42:16 -0400] “POST //wp-login.php HTTP/1.1” 200 5018 “-” “Mozilla/5.0 (X11; U; Linux i686; pt-BR; rv:1.9.0.15) Gecko/2009102815 Ubuntu/9.04 (jaunty) Firefox/3.0.15”

These are indicative of a brute-force attack against your WordPress installation. The risk is minimal, but the server load this generates can be substantial.

Below is a quick script that will scan the access_logs on in your /var/log/httpd/${domain} folders and use iptables to block particularly persistent attackers.

The script uses “geoiplookup”, but this is not required and you can remove it from the script:

# rpm -qa | grep -i geo
perl-Geo-IP-1.38-6.el6.x86_64
GeoIP-1.4.8-1.el6.x86_64

Parameters you may want to modify:
# list IP addresses to exclude from iptables blacklist
exclude_list="123.123.123.123 123.123.123.124"

# Specify the threshold for wp-login.php connections from one IP
threshold=500

And the script itself:
#!/bin/ksh
#                                      |
#                                  ___/"\___
#                          __________/ o \__________
#                            (I) (G) \___/ (O) (R)
#                                   Igor Os
#                            igor@comradegeneral.com
#                                 2014-09-23
# ----------------------------------------------------------------------------
# Block Wordpress wp-login.php attackers
#

configure() {
	exclude_list="123.123.123.123 123.123.123.124"
	threshold=500
	tfd="/tmp"
	tf="${tfd}/httd_access_count.tmp"
	if [ -w "${tf}" ] ; then /bin/rm -f "${tf}" ; fi
}

check_logs() {
	i=0 ; k=0
	grep "wp-login.php" `find /var/log/httpd -type f -name access_log` | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | sort -u | while read ip
	do
		fgrep -c "${ip}" `find /var/log/httpd -type f -name access_log` | awk -F':' '{print $NF}' | while read i
		do
			(( k = k + i ))
		done
		if [ ${k} -ge ${threshold} ]
		then
			echo -e "${ip}@`geoiplookup ${ip}`@${k}" | sed 's/GeoIP Country Edition: //g' | tee -a "${tf}"
		fi
		i=0 ; k=0
	done
}

block_iptables() {
	if [ -r "${tf}" ]
	then
		sort -rn -t "@" -k3,3 "${tf}" | while read line
		do
			ip=$(echo "${line}" | awk -F'@' '{print $1}')
			country=$(echo "${line}" | awk -F'@' '{print $2}')
			hits=$(echo "${line}" | awk -F'@' '{print $3}')
			if [ `echo "${exclude_list}" | grep -c "${ip}"` -eq 0 ]
			then
				echo "Blocking IP ${ip} from ${country} after ${hits} login attempts."
				/sbin/iptables -A INPUT -s ${ip} -j DROP
			fi
		done
		/sbin/service iptables save
	fi
}

# RUNTIMR

configure
check_logs
block_iptables

 

Print Friendly, PDF & Email

Leave a Reply