This post describes the steps to block the IP address that is the origin of a brute-force attack against a WordPress blog.
WARNING!
Make sure you
DO NOT block your own IP addresses, or apply and global rules which would block the SSH port (port 22).
Identify IP Addresses to Block (Blog Server)
Tail the blog server apache logs:
sudo tail -f /var/log/httpd/access_log
199.188.70.163 - - [12/Oct/2014:16:29:03 +0000] "POST /wp-login.php HTTP/1.0" 200 4432 "-" "-"
37.59.125.22 - - [12/Oct/2014:16:29:03 +0000] "POST /wp-login.php HTTP/1.0" 200 4432 "-" "-"
199.188.70.163 - - [12/Oct/2014:16:29:04 +0000] "POST /wp-login.php HTTP/1.0" 200 4432 "-" "-"
37.59.125.22 - - [12/Oct/2014:16:29:05 +0000] "POST /wp-login.php HTTP/1.0" 200 4432 "-" "-"
37.59.125.22 - - [12/Oct/2014:16:29:05 +0000] "POST /wp-login.php HTTP/1.0" 200 4432 "-" "-"
This shows two ip addresses, 199.188.70.163 and 37.59.125.22 attempting to brute-force the blog's Word Press login page:
It is worth checking the Apache error log:
sudo tail -f /var/log/httpd/access_log
Blocking IP Addresses Using iptables
List existing iptables rules:
# List iptables rules
sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
The output of the -S switch can be used to re-create the given rule from the command line or a rule script.
To block a single IP addresses 199.188.70.163 and 37.59.125.22 do the following:
sudo iptables -A INPUT -s 199.188.70.163 -j DROP
sudo iptables -A INPUT -s 37.59.125.22 -j DROP
Listing the iptables rules once more should show the DROP rules that were added in the previous step:
# List iptables rules
sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -s 199.188.70.163 -j DROP
-A INPUT -s 37.59.125.22 -j DROP
The two rules that were added have not taken effect yet. To save them do the following:
# Save the iptables rules
sudo /etc/init.d/iptables save
NOTE: The /sbin/service command is available on the blog server, so you can use that to save iptables rules:
sudo /sbin/service iptables save
The service command runs /etc/init.d/ scripts without passing on environment variables defined by the user.
When successfully saved, it should display a message such as:
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
Removing iptables Rules
List iptables Rules:
sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -s 199.188.70.0/24 -j DROP
-A INPUT -s 37.59.125.0/24 -j DROP
The following lists the form in a more readable form:
# List rules with line number in verbose mode
sudo iptables -L -n -v --line-numbers
In the following output the "num" column represents the line number within each Chain (INPUT, FORWARD, and OUTPUT). This number will be will be used to remove the rules.
Chain INPUT (policy ACCEPT 31267 packets, 2159K bytes)
num pkts bytes target prot opt in out source destination
1 206 12472 DROP all -- * * 199.188.70.0/24 0.0.0.0/0
2 313 20047 DROP all -- * * 37.59.125.0/24 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 14419 packets, 75M bytes)
num pkts bytes target prot opt in out source destination
Look at the number on the left in the "num" column, then use number to delete the rule. For example delete line number 2 (subnet 37.59.125.0/24), enter:
sudo iptables -D INPUT 2
This will not take effect until it the rule is saved:
# Save the iptables rules
sudo /etc/init.d/iptables save
Identify Other IP Addresses Performing Similar Attacks
Use the following command to identify IP addresses making large number of login attempts the WordPress blog:
# IP addresses making POST request to the WordPress login page
grep wp-login /var/log/httpd/access_log | grep POST | awk '{print $1}'| sort | uniq -c | sort -nr
20154 199.188.70.163
14105 194.65.224.242
3732 37.59.125.22
40 37.1.222.114
25 192.187.99.194
Make sure that you EXCLUDE remove your own IP addresses and other legitimate IP addresses from the above list before blocking them. In this case we should probably block the first three ( 20154 199.188.70.163, 194.65.224.242, and 37.59.125.22) and not the last two (37.1.222.114 and 192.187.99.194).
You may want to use an IP address lookup tool such as MaxMind GeoIP Lookup to see where the IP address is located:
Finding Your Public IP Address on the Command Line
The following is a Bash command that can be used to quickly find the public IP address your internet service provider (ISP) has given you. This is not the same as the IP address seen by your broadband router, which is usually an private IP address within the ISPs network, or the IP address given to your computer, which is a private IP address issued by my home router.
This command simply makes a "what is my ip" query to Google, which in turn displays the IP address it sees the request originating from. The awk command parses the IP address from the rest of the HTML and prints it to the command line.
curl -s 'https://www.google.com/search?q=what+is+my+ip' | awk 'match($0, /\(Client.*: (.*)\)/){print substr($0, RSTART, RLENGTH)}'
(Client IP address: 50.x.x.x)