I decided to install fail2ban as the first step in this process, since what it does is block IP addresses temporarily when they are doing things that look like attacks. To install (assuming you have the right yum repos set up), you just run the command:
yum install fail2ban
Once it is installed, you just enable the service, and the default configuration protects you from a number of attacks (including the SSH brute force login hack I was seeing).
It’s a good idea to update the jail.conf parameters that send email, so that you’ll get notified on these sorts of failures. That way you know when somebody gets locked out, and can see if it is an actual attack or just a forgotten password.
Testing is pretty simple: just fail logging in a few times in a row, and you should get a “connection refused” on the fourth try. You can try again in a few minutes, since fail2ban only adds the rule to the firewall temporarily (I believe it is 5 failed logins will block for 5 minutes by default).
Next I needed to add a rule that is not included with fail2ban directly: I wanted to do the same thing for my WordPress site (I actually had some lame hacker sneak into a WP installation a year or so ago, and had to rebuild the whole server to get rid of the nefarious code).
Whipping out my trusty Google search, I found a few different ways to watch the WP logins, and settled on using a simple regex.
First I created a filter in the /etc/fail2ban/filter.d folder (naming it apache-wp-login.conf):
The above rule tells fail2ban to watch the system access logs for repeated logins, and will block the IP after 3 successive failures within 5 minutes. So if somebody tries to login (which for my sites is only used for content authors and admins) and brute force the site, they will get blocked for 5 minutes.
In this post recall a recent problem caused by an incomplete understanding of the Go language, and how I fixed it with some help from Github CoPilot. I wa delighted to resolve unexpected consequences in Go.
In this post I describe the happy scavenger hunt for tickets to see a Covid-19 delayed concert with James Taylor and Jackson Browne. Note: This post was actually written in 2021, I just found it unpublished in my site, so added a few Firefly images and pushed Publish ...