Preventing a DoS or Denial of Service attack on Wordpress is hard. These are the steps I took to prevent / stop a huge amount of traffic to Wordpress site which was causing it to crash after just a couple of minutes.
1. "yum list updates" - check to see if the Linux server is up-to-date
2. "sudo yum update" - make sure the Linux server is up-to-date
3. "yum install fail2ban", the config file is located here; "vi /etc/fail2ban/jail.conf"
4. Install fail2ban wordpress plugin
5. "sudo curl https://plugins.svn.wordpress.org/wp-fail2ban/trunk/wordpress-hard.conf > /etc/fail2ban/filter.d/wordpress.conf" you may have to create is locally and do another sudo to move it in.
6. Edit the "/etc/fail2ban/jail.d/wordpress.conf" file as follows;
[wordpress]
enabled = true
filter = wordpress
logpath = /var/log/auth.log
port = http,https
7. Restart the fail2ban service; "service fail2ban restart"
8. However if you've auth protected Wordpress this may not be enough so do the following;
9. in the jail.conf add the following;
[http-get-dos]
enabled = true
port = http,https
filter = http-get-dos
logpath = /var/log/httpd/access_log
maxretry = 300
findtime = 300
#ban for 500 minutes
bantime = 60000
action = iptables[name=HTTP, port=http, protocol=tcp]
[http-post-dos]
enabled = true
port = http,https
filter = http-post-dos
logpath = /var/log/httpd/access_log
maxretry = 15
findtime = 300
#ban for 500 minutes
bantime = 60000
action = iptables[name=HTTP, port=http, protocol=tcp]
10. Create a
ttp-get-dos.conf file
# Author: http://www.go2linux.org
#
[Definition]
# Option: failregex
# Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match.
# You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives.
failregex = ^ -.*GET
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
11. Create a
ttp-post-dos.conf file
# Author: http://www.go2linux.org
#
[Definition]
# Option: failregex
# Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match.
# You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives.
failregex = ^ -.*POST
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
12. Restart the fail2ban service; "service fail2ban restart"
That should start blocking those nasty DoS attacks quite well.
References
http://www.cyberciti.biz/faq/rhel-centos-fedora-linux-yum-command-howto/
https://www.maketecheasier.com/fail2ban-protect-apache-ddos/ - protect against DDoS