In today's digital landscape, websites are frequent targets of attacks, which can result in data loss, disruption of services, or even theft of sensitive information. Wordpress and other Content Management Systems (CMS) are popular targets among attackers due to their widespread use and sometimes inadequate security measures. One way to bolster the defense of these systems is by implementing the Fail2Ban tool on CentOS 7 servers. Fail2Ban monitors system logs and automatically blocks IP addresses attempting suspicious activities. This article provides detailed instructions on how to configure and use Fail2Ban to protect your CMS.

Installing Fail2Ban

Before proceeding, ensure Fail2Ban is installed on your CentOS 7 server. Installation can be done using the following commands in the terminal:

sudo yum install epel-release
sudo yum install fail2ban

After installation, enable and start the Fail2Ban service:

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Configuring Fail2Ban for WordPress and Other CMS

Fail2Ban uses configuration files in .conf format. It's recommended not to edit these files directly but to create copies with the .local extension, which will override the default settings.

1. Creating Custom Configuration: Copy the default configuration file jail.conf to a new file named jail.local:

   cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
   

2. Configuring jail.local: Open the jail.local file in a text editor and add a section for WordPress or any other CMS you wish to protect. For example, for WordPress, the configuration might look like this:

   [wordpress-hard]
   enabled  = true
   filter   = wordpress
   action   = iptables-multiport[name=WordPress, port="http,https"]
   logpath  = /var/log/httpd/*access_log
   maxretry = 3
   

   This configuration defines a rule named wordpress-hard, which monitors the web server logs (in this case Apache) for unsuccessful login attempts or other suspicious activities associated with WordPress.

3. Creating Custom Filter: Fail2Ban requires a corresponding filter for each jail, defining how to identify suspicious activity. Create a file /etc/fail2ban/filter.d/wordpress.conf and define patterns that match unauthorized access attempts. An example filter might look like this:

   [Definition]
   failregex = <HOST> - - .*"POST /wp-login.php
   

Running and Testing Fail2Ban

After completing the configuration, restart the Fail2Ban service to apply the changes:

sudo systemctl restart fail2ban

To verify that Fail2Ban is correctly configured and functioning, you can use the command:

sudo fail2ban-client status wordpress-hard

This command will display the status of the wordpress-hard jail, including the number of currently blocked IP addresses.

Implementing Fail2Ban on a CentOS 7 server offers an effective way to protect WordPress and other CMS systems against common attacks, such as brute-force attacks on login pages. With its flexible configuration, Fail2Ban can be adapted to protect a wide range of applications and services. Regularly updating filters and monitoring logs will ensure that your system remains protected against emerging threats.