View All Failed SSH Login Attempts on Your WordPress VPS – Ubuntu and CentOS

There are numerous advantages to hosting your WordPress blog on a VPS, aside from the resource isolation it provides, you have root access to the server and you can install and uninstall packages at any time.

Additionally, with the proliferation of VPS service providers such as Digital Ocean, Vultr, Cloudways, Scaleways, Linode and even more recently with Amazon joining the list with Amazon Light Sail, there are very valid reasons to running your own WordPress VPS. Most of these services have predefined templates for installing and setting up WordPress.

However, with great power comes great responsibility, the freedom, cost saying and reality comes with the added cost of security especially if you are not using third-party consultants such as WPEngine, WPCurve among others. One of the popular ways that hacker access multiple WordPress websites is hijacking the VPS servers using a typical Bruteforce attack.

With a Brute-force attack, the attacker uses an automated script to try multiple logins via SSH. One of the most popular tool that is usually used to protect served is Fail2Ban. According to the fail2ban wiki, Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs — too many password failures, seeking for exploits, etc.

Generally, Fail2Ban can be used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email, or ejecting CD-ROM tray) could also be configured.

Out of the box Fail2Ban comes with filters for various services (apache, curier, ssh, etc).

Installing Fail2Ban

To install Fail2Ban, ensure your system is up to date, then install Fail2ban using the command below for Ubuntu:

apt-get update && apt-get upgrade -y
apt-get install fail2ban
ufw allow ssh
ufw enable

For CentOs you would want to use the commands below:

yum update
yum install fail2ban

How to view login attempts via SSH on your Web server

You need to be the root user or run the commands with sudo

Related:  Top 20 Best Tattoo, Face Painting, Body Painting & Body Piercing Parlor WordPress Themes 2017

For debian clones such as Ubuntu, you can use the following commands to view the login attends that are accessing your server. Most often than not. There will be multiple IP trying to login to your VPS.

View all failed login attempts

cat /var/log/auth.log | grep 'sshd.*Failed'

Below is a sample response you would see from a bot/attacker that is trying to access your VPS.

Apr 10 22:56:29 h2 sshd[549]: Failed password for root from 69.203.16.175 port 57922 ssh2
Apr 10 23:00:35 h2 sshd[17198]: Failed password for root from 189.36.240.173 port 47614 ssh2
Apr 10 23:00:38 h2 sshd[17198]: Failed password for root from 189.36.240.173 port 47614 ssh2
Apr 10 23:00:40 h2 sshd[17198]: Failed password for root from 189.36.240.173 port 47614 ssh2
Apr 10 23:00:42 h2 sshd[17198]: Failed password for root from 189.36.240.173 port 47614 ssh2
Apr 10 23:00:45 h2 sshd[17198]: Failed password for root from 189.36.240.173 port 47614 ssh2
Apr 10 23:00:47 h2 sshd[17198]: Failed password for root from 189.36.240.173 port 47614 ssh2

From the response above you will notice that an attacker from 189.36.240.173 is trying to access the server. The default configuration for Fail2Ban will block an atcker after multiple attempts, thus protecting your VPS aand your website.

To view all successful logins, use the following command

cat /var/log/auth.log | grep 'sshd.*opened'

On RedHat or CentOS Clones you can use the following commands to view all failed login attempts

cat /var/log/auth.log | grep 'sshd.*Failed'

To view all successful logins On RedHat or CentOS clones you can use the following command

cat /var/log/secure | grep 'sshd.*opened'

How to view login attempts via SSH on your Web Server

Advanced – Configuring Fail2ban

By default the SSH protocol is enabled and protected. Without further changes, anyone trying to brute force their way into your server will automatically be banned or locked out after 6 tries.

Related:  How to Run WordPress on a Kubernetes Cluster from Scratch

Fail2ban protects the default protocol ports. If your configure services on your server to use a non-standard port, then you must specify the new port number for the service. Other services are configured but are not enabled. You can tell by the value false for enabled under each service.

To enable and protect a service that is running on your server, scroll down to the service section and change the value for Enabled to true.

Since must servers are designed to only run the minimum of services, you may only need to protect SSH. Other services like Apache2 and Xnit.d might not need to be configured.

For each section:

  • Enabled – simply means that the server is enabled for monitoring by fail2ban.
  • Port – is the port number of the service to monitor. By default, fail2ban monitors standard ports, so if you changed the port for a service to something other than the standard, you must specify it.
  • Filter – this variable refers to the rules and strings that fail2ban uses to spot an attack against a particular service.
  • Logpath – this config variable refers to the log location that fail2ban tracks.. by default it’s the auth.log file. If that’s changed for you OS, you must specify it there too.

After this post, you will be able to protect your VPS again bots and attackers that use brute force to access your WordPres VPS. Feel free to leave comments, ideas and suggestions below.

View All Failed SSH Login Attempts on Your WordPress VPS – Ubuntu and CentOS
4 (85%) 331 votes