Es muy común ver accesos a wp-admin, wp-login, /wp-json/wp/v2/users y xmlrpc.php de forma recurrente en los logs de sistema. Algunos, podrían ser lícitos y otros no
[Mon Apr 08 08:16:12.279696 2024] [access_compat:error] [pid 220119:tid 140560278955776] [client 172.71.178.136:43848] AH01797: client denied by server configuration: /var/www/html/xmlrpc.php
[Mon Apr 08 08:19:23.621749 2024] [access_compat:error] [pid 220119:tid 140560287348480] [client 172.71.178.73:37464] AH01797: client denied by server configuration: /var/www/html/xmlrpc.php
[Mon Apr 08 08:21:52.652599 2024] [access_compat:error] [pid 220119:tid 140560503379712] [client 172.71.178.68:45854] AH01797: client denied by server configuration: /var/www/html/xmlrpc.php
[Mon Apr 08 08:24:15.256244 2024] [access_compat:error] [pid 220119:tid 140560270563072] [client 172.71.178.135:31928] AH01797: client denied by server configuration: /var/www/html/xmlrpc.php
[Mon Apr 08 08:26:23.238243 2024] [access_compat:error] [pid 220339:tid 140560253843200] [client 172.71.178.158:53040] AH01797: client denied by server configuration: /var/www/html/xmlrpc.php
[Mon Apr 08 08:26:49.235262 2024] [access_compat:error] [pid 220119:tid 140560511772416] [client 172.71.178.200:22220] AH01797: client denied by server configuration: /var/www/html/xmlrpc.php
[Mon Apr 08 08:29:44.230423 2024] [access_compat:error] [pid 220117:tid 140560027338496] [client 172.71.178.68:60264] AH01797: client denied by server configuration: /var/www/html/xmlrpc.php
[Mon Apr 08 08:31:28.219437 2024] [access_compat:error] [pid 220119:tid 140560469808896] [client 172.71.178.72:32100] AH01797: client denied by server configuration: /var/www/html/xmlrpc.php
Para controlar dicha situación, se instaló Fail2Ban por lo que vamos a añadir un filtro y una jaula:
cat > /etc/fail2ban/filter.d/wordpress.conf <<EOF
[Definition]
failregex = <HOST>.*] "(GET|POST) .*/wp-admin HTTP
<HOST>.*] "(GET|POST) .*/wp-admin/ HTTP
<HOST>.*] "(GET|POST) .*/wp-login HTTP
<HOST>.*] "(GET|POST) .*/wp-login/ HTTP
<HOST>.*] "(GET|POST) .*/wp-login.php HTTP
<HOST>.*] "(GET|POST) .*/xmlrpc.php HTTP
<HOST>.*] "(GET|POST) .*/wp-json/wp/v2/users HTTP
EOF
cat > /etc/fail2ban/jail.d/wordpress.conf <<EOF
[wordpress]
enabled = true
filter = wordpress
port = http,https
banaction = iptables-multiport[name="WORDPRESS", port="http,https", protocol=tcp]
maxretry = 2
bantime = 15m
logpath = %(apache_access_log)s
EOF
Finalmente, recargaremos la configuración:
systemctl reload fail2ban