logo
vision scalability social networking revelation source
Setup build environments
Setup Arch, Snapper, refind, and rollback
Setup Debian with snapper and refind
Wireguard
Dovecot
block brute force wordpress attacks core lightning in debian guix and shepherd nix setup gentoo

Block Brute Force Wordpress Password attacks

abstract: These files are not specific to rhocoin. They are a collection of notes on setting up operating systems and tools. Every time I mess around and encounter some grief, I add to this pile of notes, which has become inconveniently long and needs to be broken up.

1 backdoors

To find all ips that are hitting wp-login

cat /var/log/nginx/access.log /var/log/nginx/access.log.1 |grep wp-login | awk '{print $1}' |sort -u

then edit them into the block list at nano /etc/nginx/sites-enabled/config

    location ~* ^/(wp-config\.php|xmlrpc\.php|wp-includes/.*\.php|\.htaccess|\.git) {
    return 444;

causes all requests to attack points to be silently ignored.

xmlrpc is a backdoor login, and the others are probes to find backdoor logins.

But we still have to block attempts to break in through the normal login page ip by ip.

location = /wp-login.php {
    # Check if the $block_login_post variable is set to 1
    if ($block_login_post) {
        return 444;
    }
    # If not blocked, process the PHP request as normal
    include snippets/fastcgi-php.conf;
    fastcgi_pass unix:/run/php/php-fpm.sock;
}

2 full nginx configuration

limit_req_zone $binary_remote_addr zone=wp_get_limit:2m rate=10r/m;
# A new, much stricter zone for admin and login areas
#limit_req_zone $binary_remote_addr zone=wp_admin_limit:1m rate=7r/m; # 7 requests per minute!
# Define a variable $block_login_post.
# It will be set to 1 for IPs we want to block, and 0 for all others.
geo $block_login_post {
    default 0;
103.132.182.0/24        1;
103.177.150.0/24        1;
103.204.76.0/24         1;
104.244.72.17           1;
104.244.72.193          1;
104.244.73.57           1;
104.244.74.116          1;
104.244.78.206          1;
104.244.78.229          1;
107.189.1.5             1;
107.189.11.185          1;
107.189.12.15           1;
107.189.12.178          1;
107.189.13.175          1;
107.189.14.134          1;
107.189.14.208          1;
107.189.14.25           1;
107.189.28.60           1;
107.189.30.207          1;
107.189.31.198          1;
107.189.4.81            1;
107.189.5.102           1;
107.189.5.134           1;
107.189.6.47            1;
107.189.7.132           1;
107.189.7.61            1;
108.160.134.0/24        1;
128.24.107.65           1;
141.98.11.0/24          1;
141.98.11.44            1;
143.44.185.36           1;
147.185.132.15          1;
156.241.218.187         1;
16.16.162.0/24          1;
162.216.149.37          1;
166.0.151.204           1;
167.160.58.65           1;
172.56.218.141          1;
178.128.116.198         1;
185.212.169.0/24        1;
185.252.223.0/24        1;
185.77.217.0/24         1;
185.91.69.0/24          1;
198.98.48.0/20          1;
198.98.53.242           1;
198.98.55.213           1;
198.98.59.143           1;
198.98.60.216           1;
198.98.62.116           1;
199.195.248.0/24        1;
20.57.117.169           1;
205.185.114.63          1;
205.185.120.118         1;
205.185.120.218         1;
205.185.121.77          1;
205.185.127.199         1;
209.141.34.83           1;
209.141.47.135          1;
209.141.52.237          1;
209.141.54.165          1;
209.141.57.89           1;
209.141.60.77           1;
209.141.61.31           1;
209.141.61.56           1;
209.97.179.0/24         1;
217.64.126.0/24         1;
217.71.200.0/24         1;
27.124.71.200           1;
2a09:bac1:b00:518::0/64 1;
2a09:bac5:481:16aa::0/64    1;
3.143.7.0/24            1;
3.145.141.0/24          1;
4.241.111.42            1;
43.139.153.132          1;
45.135.232.178          1;
45.32.31.0/24           1;
45.61.184.0/24          1;
45.61.186.0/24          1;
45.61.188.233           1;
45.88.97.84             1;
5.254.112.104           1;
51.79.229.0/24          1;
52.138.216.201          1;
52.143.130.125          1;
52.178.193.251          1;
64.225.20.0/24          1;
64.31.27.0/24           1;
77.232.38.109           1;
84.37.141.3             1;
87.250.224.83           1;
89.187.162.104          1;
89.187.162.182          1;
92.205.167.0/24         1;
95.108.213.88           1;
95.134.63.118           1;
}
server {
    return 301 $scheme://reaction.la$request_uri;
    }
server {
    index index.php index.html;
    server_name blog.reaction.la;
    root /var/www/blog.reaction.la;
    index index.php index.html;

    location = /wp-login.php {
        # Check if the $block_login_post variable is set to 1
        if ($block_login_post) {
            return 444;
        }
        # If not blocked, process the PHP request as normal
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php-fpm.sock;
    }

    location ~* ^/(wp-config\.php|xmlrpc\.php|wp-includes/.*\.php|\.htaccess|\.git) {
    return 444;
    }

# Apply the strict limit to wp-login and wp-admin
#   location ~ ^/(wp-login\.php|wp-admin/|wp-admin$) {
#        limit_req zone=wp_admin_limit burst=7 nodelay;
#        include snippets/fastcgi-php.conf;
#        fastcgi_pass unix:/run/php/php-fpm.sock;
#        # You can also add HTTP auth here for extra security
#    }

    location / {
    limit_req zone=wp_get_limit burst=10 nodelay;
        # try_files $uri $uri/ =404;
    try_files $uri $uri/ /index.php$is_args$args;
        }
    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php-fpm.sock;
        }
    location = /favicon.ico {access_log off; }
    location = /robots.txt {access_log off; allow all; }
    location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
        expires max;
        }

    listen [::]:443 ssl; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/reaction.la/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/reaction.la/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    index index.php index.html;
    server_name reaction.la;
    root /var/www/reaction.la;
    location / {
        try_files $uri $uri/ =404;
        }
    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php-fpm.sock;
        }
    location = /favicon.ico {access_log off; }
    location = /robots.txt {access_log off; allow all; }
    location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
        expires max;
        }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/reaction.la/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/reaction.la/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    server_name *.blog.reaction.la;
    return 301 $scheme://blog.reaction.la$request_uri;
    }

server {
    if ($host = reaction.la) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    listen [::]:80;
    server_name reaction.la;
    return 404; # managed by Certbot
}

server {
    if ($host = blog.reaction.la) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    listen [::]:80;
    server_name blog.reaction.la;
    return 404; # managed by Certbot


}

3 finding ips that need blocking

Your configuration files will show where the access logs are

Creative Commons License reaction.la gpg key 154588427F2709CD9D7146B01C99BB982002C39F
This work is licensed under the Creative Commons Attribution 4.0 International License.