There are numerous advantages to hosting your WordPress blog on a VPS, aside from the resource isolation it provides, you have root access to the server and you can install and uninstall packages at any time.
Additionally, with the proliferation of VPS service providers such as Digital Ocean, Vultr, Cloudways, Scaleways, Linode and even more recently with Amazon joining the list with Amazon Light Sail, there are very valid reasons to running your own WordPress VPS. Most of these services have predefined templates for installing and setting up WordPress.
However, with great power comes great responsibility, the freedom, cost saying and reality comes with the added cost of security especially if you are not using third-party consultants such as WPEngine, WPCurve among others. One of the popular ways that hacker access multiple WordPress websites is hijacking the VPS servers using a typical Bruteforce attack.
With a Brute-force attack, the attacker uses an automated script to try multiple logins via SSH. One of the most popular tool that is usually used to protect served is Fail2Ban. According to the fail2ban wiki, Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs — too many password failures, seeking for exploits, etc.
Generally, Fail2Ban can be used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email, or ejecting CD-ROM tray) could also be configured.
Out of the box Fail2Ban comes with filters for various services (apache, curier, ssh, etc).
To install Fail2Ban, ensure your system is up to date, then install Fail2ban using the command below for Ubuntu:
apt-get update && apt-get upgrade -y apt-get install fail2ban ufw allow ssh ufw enable
For CentOs you would want to use the commands below:
yum update yum install fail2ban
How to view login attempts via SSH on your Web server
You need to be the root user or run the commands with sudo
For debian clones such as Ubuntu, you can use the following commands to view the login attends that are accessing your server. Most often than not. There will be multiple IP trying to login to your VPS.
View all failed login attempts
cat /var/log/auth.log | grep 'sshd.*Failed'
Below is a sample response you would see from a bot/attacker that is trying to access your VPS.
Apr 10 22:56:29 h2 sshd: Failed password for root from 188.8.131.52 port 57922 ssh2 Apr 10 23:00:35 h2 sshd: Failed password for root from 184.108.40.206 port 47614 ssh2 Apr 10 23:00:38 h2 sshd: Failed password for root from 220.127.116.11 port 47614 ssh2 Apr 10 23:00:40 h2 sshd: Failed password for root from 18.104.22.168 port 47614 ssh2 Apr 10 23:00:42 h2 sshd: Failed password for root from 22.214.171.124 port 47614 ssh2 Apr 10 23:00:45 h2 sshd: Failed password for root from 126.96.36.199 port 47614 ssh2 Apr 10 23:00:47 h2 sshd: Failed password for root from 188.8.131.52 port 47614 ssh2
From the response above you will notice that an attacker from
184.108.40.206 is trying to access the server. The default configuration for Fail2Ban will block an atcker after multiple attempts, thus protecting your VPS aand your website.
To view all successful logins, use the following command
cat /var/log/auth.log | grep 'sshd.*opened'
On RedHat or CentOS Clones you can use the following commands to view all failed login attempts
cat /var/log/auth.log | grep 'sshd.*Failed'
To view all successful logins On RedHat or CentOS clones you can use the following command
cat /var/log/secure | grep 'sshd.*opened'
How to view login attempts via SSH on your Web Server
Advanced – Configuring Fail2ban
By default the SSH protocol is enabled and protected. Without further changes, anyone trying to brute force their way into your server will automatically be banned or locked out after 6 tries.
Fail2ban protects the default protocol ports. If your configure services on your server to use a non-standard port, then you must specify the new port number for the service. Other services are configured but are not enabled. You can tell by the value false for enabled under each service.
To enable and protect a service that is running on your server, scroll down to the service section and change the value for Enabled to true.
Since must servers are designed to only run the minimum of services, you may only need to protect SSH. Other services like Apache2 and Xnit.d might not need to be configured.
For each section:
Enabled– simply means that the server is enabled for monitoring by fail2ban.
Port– is the port number of the service to monitor. By default, fail2ban monitors standard ports, so if you changed the port for a service to something other than the standard, you must specify it.
Filter– this variable refers to the rules and strings that fail2ban uses to spot an attack against a particular service.
Logpath– this config variable refers to the log location that fail2ban tracks.. by default it’s the auth.log file. If that’s changed for you OS, you must specify it there too.
After this post, you will be able to protect your VPS again bots and attackers that use brute force to access your WordPres VPS. Feel free to leave comments, ideas and suggestions below.