Button

      Proteger servicios WordPress

      admin

      Es muy común ver accesos a wp-admin, wp-login, /wp-json/wp/v2/users y xmlrpc.php de forma recurrente en los logs de sistema. Algunos, podrían ser lícitos y otros no

      Copy Code 
      

      [Mon Apr 08 08:16:12.279696 2024] [access_compat:error] [pid 220119:tid 140560278955776] [client 172.71.178.136:43848] AH01797: client denied by server configuration: /var/www/html/xmlrpc.php
[Mon Apr 08 08:19:23.621749 2024] [access_compat:error] [pid 220119:tid 140560287348480] [client 172.71.178.73:37464] AH01797: client denied by server configuration: /var/www/html/xmlrpc.php
[Mon Apr 08 08:21:52.652599 2024] [access_compat:error] [pid 220119:tid 140560503379712] [client 172.71.178.68:45854] AH01797: client denied by server configuration: /var/www/html/xmlrpc.php
[Mon Apr 08 08:24:15.256244 2024] [access_compat:error] [pid 220119:tid 140560270563072] [client 172.71.178.135:31928] AH01797: client denied by server configuration: /var/www/html/xmlrpc.php
[Mon Apr 08 08:26:23.238243 2024] [access_compat:error] [pid 220339:tid 140560253843200] [client 172.71.178.158:53040] AH01797: client denied by server configuration: /var/www/html/xmlrpc.php
[Mon Apr 08 08:26:49.235262 2024] [access_compat:error] [pid 220119:tid 140560511772416] [client 172.71.178.200:22220] AH01797: client denied by server configuration: /var/www/html/xmlrpc.php
[Mon Apr 08 08:29:44.230423 2024] [access_compat:error] [pid 220117:tid 140560027338496] [client 172.71.178.68:60264] AH01797: client denied by server configuration: /var/www/html/xmlrpc.php
[Mon Apr 08 08:31:28.219437 2024] [access_compat:error] [pid 220119:tid 140560469808896] [client 172.71.178.72:32100] AH01797: client denied by server configuration: /var/www/html/xmlrpc.php

      Para controlar dicha situación, se instaló Fail2Ban por lo que vamos a añadir un filtro y una jaula:

      Copy Code 
      

      cat > /etc/fail2ban/filter.d/wordpress.conf <<EOF
[Definition]
failregex = <HOST>.*] "(GET|POST) .*/wp-admin HTTP
            <HOST>.*] "(GET|POST) .*/wp-admin/ HTTP
            <HOST>.*] "(GET|POST) .*/wp-login HTTP
            <HOST>.*] "(GET|POST) .*/wp-login/ HTTP
            <HOST>.*] "(GET|POST) .*/wp-login.php HTTP
            <HOST>.*] "(GET|POST) .*/xmlrpc.php HTTP
            <HOST>.*] "(GET|POST) .*/wp-json/wp/v2/users HTTP
EOF
      Copy Code 
      

      cat > /etc/fail2ban/jail.d/wordpress.conf <<EOF
[wordpress]
enabled = true
filter = wordpress
port   = http,https
banaction = iptables-multiport[name="WORDPRESS", port="http,https", protocol=tcp]
maxretry = 2
bantime  = 15m
logpath  = %(apache_access_log)s
EOF

      Finalmente, recargaremos la configuración:

      Copy Code 
      

      systemctl reload fail2ban

      Related Posts

      Leave a Reply

      Your email address will not be published. Required fields are marked *