Logging 403 Rewrites for Brute Force Attacks

Question

As explained in Wordpress Codec, I want to prevent brute force attacks for wp-login.php via RewritetRule.

http://codex.wordpress.org/Brute_Force_Attacks#Deny_Access_to_No_Referrer_Requests

Rather than Codex's 301 Status Code, I want to Rewrite as 403 Forbidden status and make it log as "client denied by server configuration" so that Fail2Ban can process the log and block the IP.

I am using below code.

# Stop spam attack logins and comments
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login)\.php*
    RewriteCond %{HTTP_REFERER} !.*example.com.* [OR]
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule (.*) - [R=403,L]
</ifModule>

It forbids the POST attacks as 403 status code, but I do not see any log about the incidence in error_log.

How can I make RewriteRule to log the incidence as normal 403 log in error_log? And is Rewrite + Fail2Ban configuration to deal with Brute Force attacks efficient about server management or not?

Have you actually received such an attempt since installing this configuration? — Michael Hampton, Sep 01 '14 at 22:41
Yes I am trying AJAX POST examples with browser extensions. Is not it valid? — NecNecco, Sep 01 '14 at 22:46

score 1 · Answer 1 · answered Sep 02 '14 at 06:43

1

You will not see these attempts in the error_log. You will see entries in the access_log for them so you would configure fail2ban to ban IPs that reached a 403 status code when accessing that specific URL, based on the access logs entries.

answered Sep 02 '14 at 06:43

Florin Asăvoaie

6,932
22
35

Thanks. Could you provide any failregex and jail.local details for that please? – NecNecco Sep 02 '14 at 07:35

Logging 403 Rewrites for Brute Force Attacks

1 Answers1