If You Follow Nginx Official Documentation, Blocking WordPress Bruteforce Attacks on Nginx Will Be Quite Easier. We Can Stop Ping of Death For Example. Ping of Death is a kind of DDoS, we are not covering DDoS on IaaS in this article, it is already covered. Here are some easy and basic tricks, which most are not aware of.
Blocking WordPress Bruteforce Attacks on Nginx
Nginx Module ngx_http_limit_req_module limits the request processing rate. We need to add it on /etc/nginx.nginx.conf file on default Nginx apt version installation. Official method to limit the rate for an imaginary location named /search/ is this :
1 2 3 4 5 6 | limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s; server { location /search/ { limit_req zone=one burst=5; } |
An example to limit requests towards wp-login.php file can be like this which unix socket settings :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | location ~ \.php$ { location ~* wp\-login\.php { limit_req zone=one burst=1 nodelay; try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; include fastcgi_params; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_pass unix:/var/run/php5-fpm.sock; } try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; include fastcgi_params; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_pass unix:/var/run/php5-fpm.sock; } |
Fail2Ban supports this feature of Nginx, so to fine-tune, we can install Fail2Ban :
1 | apt-get install fail2ban |
then open the config file to adjust :
1 | nano /etc/fail2ban/filter.d/nginx-req-limit.conf |
to this :
1 2 3 4 | [Definition] failregex = ^.*limiting requests, excess:.* by zone.*client: <HOST>, server.*$ ignoreregex = |
This is highly configurable, an example config :
1 2 3 | [Definition] failregex = ^<HOST> -.*\"(GET|POST).* ignoreregex = ^<HOST> -.*\"(GET|POST).*Googlebot |
/etc/fail2ban/jail.d/nginx-req-limit.conf should have this kind of settings :
---
1 2 3 4 5 6 | [nginx-req-limit] enabled = true filter = nginx-req-limit action = ufw log path = /var/log/nginx/*error.log |
You can run service ufw status command in Ubuntu to check whether ufw is running or not. Enable/Disable is this set :
1 2 | sudo ufw disable sudo ufw enable |
You should cat this file – /etc/fail2ban/jail.local to check the settings :
1 2 3 4 5 6 | [DEFAULT] ignoreip = 127.0.0.1/8 banaction = ufw maxRetry = 5 findtime = 600 bantime = 7200 |
We can configure /etc/fail2ban/action.d/ufw.conf file to control ufw. You should check the manual of Fail2Ban for better settings, the file somewhat looks like this :
1 2 3 4 5 | [Definition] actionstart = actionstop = actioncheck = ... |
At the end, if you try ApacheBench with a higher value against our domain :
1 | ab -c 1 -n 1 https://thecustomizewindows.com:443/ |
Increase the value from 1 to few hundred times, it will reject. That is a basic way to flood. Never do these with others’ server, your IP might get blacklisted.
