Fail2Ban Bao Ve WordPress Va SSH Khoi Brute Force: Huong Dan Tu A Den Z 2026

Mỗi ngày một VPS công khai nhận trung bình 30.000 đến 100.000 lần thử brute force SSH. WordPress login page còn khủng hơn – hàng nghìn lần dò mật khẩu mỗi giờ. Mình từng log vào server và thấy auth.log phình lên vài trăm MB chỉ toàn dòng “Failed password for root from 193.x.x.x”.

Fail2Ban là công cụ mình luôn cài đầu tiên trên mọi VPS mới, trước cả Nginx. Bài này mình hướng dẫn bạn cài đặt Fail2Ban bảo vệ SSH và WordPress từ A đến Z, bao gồm filter custom cho wp-login.php, cấu hình ban tăng dần cho tội phạm tái phạm, và cả phần xử lý khi bạn tự ban nhầm chính mình.

Fail2Ban là gi va tai sao ban can no cho WordPress?

Fail2Ban la mot intrusion prevention framework viet bang Python. No doc log file cua server (auth.log, access.log), dung regex de nhan dien cac IP co dau hieu tan cong brute force, tu dong them firewall rule block IP do.

Khi noi den bao mat WordPress, nhieu nguoi chi nghi den plugin nhu Wordfence hay Solid Security. Nhung plugin chi chan o tang ung dung – van tieu thu CPU PHP va database moi lan xu ly request. Fail2Ban chan o tang firewall – IP bi block khong the ngay ca ket noi den server, giam hoan toan tai vat ly.

Mot dieu quan trong ban can hieu: Fail2Ban khong the thay the SSH key authentication hay mat khau manh. No la lop phong thu thu hai, khong phai lop dau tien.

Cai dat Fail2Ban tren Ubuntu VPS nhu the nao?

Ban lam theo 3 buoc sau la xong. Minh dat tat ca lenh co prefix sudo de ban co the copy-paste truc tiep.

Buoc 1: Cap nhat package va cai dat:

sudo apt update && sudo apt install fail2ban -y

Buoc 2: Kich hoat service va khoi dong cung he thong:

sudo systemctl enable --now fail2ban
sudo systemctl status fail2ban --no-pager

Kiem tra ban se thay Active: active (running).

Buoc 3: Xac nhan Fail2Ban client hoat dong:

sudo fail2ban-client ping

Neu tra ve Server replied: pong la OK.

Luu y quan trong: Khong bao gio chinh sua file /etc/fail2ban/jail.conf. File nay se bi overwrite khi update package. Luon luon tao file /etc/fail2ban/jail.local de ghi de cau hinh.

Cau hinh SSH Jail chuan cho production nhu the nao?

Day la cau hinh SSH jail minh dang dung tren production. Ban tao file /etc/fail2ban/jail.local:

sudo nano /etc/fail2ban/jail.local

Va dan vao noi dung sau:

[DEFAULT]
backend = systemd
banaction = nftables-multiport
banaction_allports = nftables-allports
findtime = 10m
maxretry = 3
bantime = 1h
ignoreip = 127.0.0.1/8 ::1

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
findtime = 600
bantime = 86400
bantime.increment = true
bantime.factor = 2
bantime.maxtime = 604800

Minh giai thich tung tham so de ban hieu ro dang lam gi:

• maxretry = 3: Sau 3 lan that bai thi ban. 3 la con so can bang giua an toan va khong khoang nhu cua nguoi dung chinh dong.
• findtime = 600: Dem so lan that bai trong cua so 10 phut. Qua 10 phut thi reset dem.
• bantime = 86400: Ban lan dau 24 gio (86.400 giay).
• bantime.increment = true + factor = 2: Tan cong lai sau khi het ban? Lan 2 se bi 48 gio, lan 3 bi 96 gio, lan 4 bi 192 gio – nhan doi cho den khi dat maxtime.
• bantime.maxtime = 604800: Ban dai nhat la 7 ngay (604.800 giay).
• ignoreip: IP trong danh sach nay khong bao gio bi ban. Luon luon giu localhost.

Khoi dong lai Fail2Ban va kiem tra:

sudo systemctl restart fail2ban
sudo fail2ban-client status sshd

Ban se thay thong tin jail sshd dang chay, so IP hien bi ban, va so lan that bai.

Luu y: Neu SSH cua ban chay port khac (vi du port 2847), doi port = ssh thanh port = 2847. Fail2Ban can biet chinh xac port de tao firewall rule dung.

Lam sao de bao ve WordPress login khoi brute force?

WordPress co hai endpoint bi tan cong nhieu nhat: wp-login.php (form dang nhap) va xmlrpc.php (remote publishing, cung duoc dung cho pingback attack). Fail2Ban khong ship san filter cho WordPress, ban can tao custom filter.

Buoc 1: Tao filter cho WordPress:

sudo nano /etc/fail2ban/filter.d/wordpress.conf

Noi dung filter:

[Definition]
failregex = ^<HOST> .* \"(POST|GET) /(wp-login\.php|xmlrpc\.php).*\" (200|401|403) .*
ignoreregex =

Filter nay match cac IP gui POST hoac GET den wp-login.php hoac xmlrpc.php va nhan response 200 (dang nhap thanh cong nhung van nghi van), 401 (chua xac thuc), hoac 403 (bi chan). Regex nay hoat dong voi combined log format chuan cua ca Nginx va Apache.

Buoc 2: Them WordPress jail vao jail.local:

[wordpress]
enabled = true
filter = wordpress
logpath = /var/log/nginx/access.log
port = http,https
findtime = 10m
maxretry = 5
bantime = 12h

Minh dat maxretry = 5 vi nguoi dung binh thuong co the go nham mat khau 2-3 lan. 5 lan trong 10 phut la dau hieu bat thuong roi. bantime = 12h du dai de bot thu het ban ma khong anh huong nguoi dung that.

Buoc 3: Khoi dong lai Fail2Ban va kiem tra:

sudo systemctl restart fail2ban
sudo fail2ban-client status wordpress

Buoc 4 (rat quan trong): Test filter truoc khi dua len production:

sudo fail2ban-regex /var/log/nginx/access.log /etc/fail2ban/filter.d/wordpress.conf

Lenh nay chay filter tren log file that ma khong ban IP. Ban se thay bao cao: bao nhieu line match, bao nhieu miss. Neu match = 0 ma ban biet chac server dang bi tan cong, regex cua ban chua dung.

Them Nginx jail de chan bot scan file nhay cam?

Ngoai WordPress login, bot con scan cac duong dan nhu /admin, /phpmyadmin, /.env, /wp-config.php.bak. Day la nhu diem dau hieu tan cong. Fail2Ban co san filter nginx-botsearch de xu ly.

Them vao jail.local:

[nginx-botsearch]
enabled = true
port = http,https
filter = nginx-botsearch
logpath = /var/log/nginx/access.log
maxretry = 5
findtime = 300
bantime = 86400

Mot jail nua danh cho HTTP Basic Auth, neu ban dung de bao ve staging site hoac admin area:

[nginx-http-auth]
enabled = true
port = http,https
filter = nginx-http-auth
logpath = /var/log/nginx/error.log
maxretry = 5
findtime = 300
bantime = 3600

Khoi dong lai Fail2Ban:

sudo systemctl restart fail2ban
sudo fail2ban-client status

Ban se thay danh sach jail: sshd, wordpress, nginx-botsearch, nginx-http-auth – tat ca deu enabled.

Cach kiem tra va quan ly IP bi ban?

Day la cac lenh minh dung hang ngay de giam sat Fail2Ban.

Xem trang thai tat ca jail:

sudo fail2ban-client status

Xem chi tiet mot jail (vi du wordpress):

sudo fail2ban-client status wordpress

Output se hien thi so IP dang bi ban, danh sach IP, va so lan that bai.

Bo ban mot IP cu the:

sudo fail2ban-client set wordpress unbanip 203.0.113.50

Ban thu cong mot IP (de test):

sudo fail2ban-client set wordpress banip 203.0.113.50

Xem log Fail2Ban real-time:

sudo tail -f /var/log/fail2ban.log

Minh luon giu mot terminal mo tail -f ngay sau khi cai Fail2Ban de quan sat bot bi ban. Cu 5-10 phut la thay mot IP moi bi block, cam giac rat hai long.

Kiem tra ban co dang that su chan duoc IP khong?

Day la loi sai pho bien nhat minh gap. Fail2Ban bao “ban thanh cong” nhung IP van ket noi duoc binh thuong. Nguyen nhan thuong la banaction khong khop voi firewall dang dung.

Buoc 1: Kiem tra firewall dang chay:

sudo ufw status verbose    # neu dung UFW
sudo nft list ruleset      # neu dung nftables
sudo iptables -L -n        # neu dung iptables

Buoc 2: Ban thu cong mot IP test (dung IP trong documentation range 203.0.113.0/24):

sudo fail2ban-client set sshd banip 203.0.113.50

Buoc 3: Kiem tra firewall xem rule da duoc them chua:

sudo nft list ruleset | grep 203.0.113.50
# hoac
sudo iptables -L -n | grep 203.0.113.50

Neu khong thay rule, banaction cua ban chua dung. Doi lai trong jail.local:

• Dung UFW: banaction = ufw
• Dung nftables: banaction = nftables-multiport
• Dung iptables: banaction = iptables-multiport

Buoc 4: Unban IP test:

sudo fail2ban-client set sshd unbanip 203.0.113.50

Khi dung sau Cloudflare thi can chu y gi dac biet?

Neu website cua ban dung sau Cloudflare hoac reverse proxy, access log cua Nginx se ghi IP cua Cloudflare thay vi IP cua client that. Fail2Ban se ban IP Cloudflare – va day la thảm hoạ. Toan bo traffic bi block.

Fix: Cau hinh Nginx lay real IP tu Cloudflare. Mo virtual host config cua ban:

# Danh sach IP Cloudflare (cap nhat tai https://www.cloudflare.com/ips/)
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 104.16.0.0/13;
set_real_ip_from 104.24.0.0/14;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 131.0.72.0/22;

real_ip_header CF-Connecting-IP;

Sau khi reload Nginx, access log se ghi IP that cua client. Fail2Ban se ban dung IP tan cong.

Mot cach khac la them IP Cloudflare vao ignoreip de chan truong hop ban nham, nhung minh khong khuyen nghi cach nay vi no lam Fail2Ban vo hieu qua voi request den tu Cloudflare.

Cau hinh ignoreip dung cach de khong tu khoa chinh minh?

Day la loi kinh dien: ban cau hinh Fail2Ban qua khat, go nham mat khau vai lan, va tu ban chinh IP cua minh. Khong the SSH vao server de unban.

Luon luon them IP van phong/VPN cua ban vao ignoreip:

[DEFAULT]
ignoreip = 127.0.0.1/8 ::1 198.51.100.10 203.0.113.25

Neu ban da tu ban minh:

1. Truy cap VPS qua web console cua nha cung cap (Hetzner, DigitalOcean, Vultr deu co)
2. Dang nhap voi root credentials
3. Chay: sudo fail2ban-client set sshd unbanip <your_ip>
4. Hoac tam tat Fail2Ban: sudo systemctl stop fail2ban

Luu y: Neu IP cua ban thay doi thuong xuyen, dung co them ca dai IP cua ISP vao ignoreip – do se tao lo ho bao mat. Hay dung VPN voi IP co dinh thay.

Phan Troubleshooting: cac loi Thuong gap

Loi 1: Jail khong hien thi trong fail2ban-client status

Nguyen nhan: Filter file chua ton tai hoac co loi syntax. Kiem tra:

sudo fail2ban-client status wordpress
# Neu bao "Sorry but the jail 'wordpress' does not exist"
# Kiểm tra lại file jail.local có section [wordpress] và enabled = true

Loi 2: Filter match = 0 trong khi log co tan cong

Xem lai log format. Mot so VPS dung log format khac mac dinh:

# Xem log that
sudo tail -5 /var/log/nginx/access.log

# Test filter
sudo fail2ban-regex /var/log/nginx/access.log /etc/fail2ban/filter.d/wordpress.conf

Neu log format khac combined format chuan, ban can chinh lai regex hoac chinh log format trong Nginx config.

Loi 3: Fail2Ban khong start duoc sau khi doi config

sudo fail2ban-client -t
# Lenh nay kiem tra syntax cua tat ca config

Neu bao loi o dong nao, sua dong do. Loi thuong gap la thieu dau ngoac vuong [ cho section, hoac sai ten filter.

Loi 4: Ban bi CPU cao vi Fail2Ban doc log qua lon

Neu access.log cua ban rat lon (vat qua 1GB), Fail2Ban mat nhieu thoi gian quet. Giai phap: cau hinh logrotate de xoay log nho hon:

sudo nano /etc/logrotate.d/nginx

Dam bao daily va rotate 7 hoac rotate 14. Log khong qua 1-2 ngay se giup Fail2Ban chay nhanh va nhe.

Loi 5: WordPress jail ban IP cua Googlebot hoac Bingbot

Them Googlebot va Bingbot vao ignoreip khong phai cach tot – bot that cung co the bi fake. Thay vao do, ban co the them ignoreregex vao filter de loai bo request co user-agent cua search engine chinh thuc:

[Definition]
failregex = ^<HOST> .* \"(POST|GET) /(wp-login\.php|xmlrpc\.php).*\" (200|401|403) .*
ignoreregex = .*Googlebot.*|.*Bingbot.*

Ket luan: ban nen lam gi ngay bay gio?

Fail2Ban la cong cu bat buoc phai co tren moi VPS chay WordPress. No khong ton tai nguyen (chi ~30MB RAM), cau hinh mot lan va quen di. Bat khi ban log vao kiem tra, thay danh sach IP bi ban dai lang bang, moi cam nghien den tac dong cua no.

Thu tu minh khuyen nghi:

1. Cai Fail2Ban va cau hinh SSH jail truoc tien (5 phut)
2. Them WordPress jail va test filter (10 phut)
3. Them Nginx botsearch jail (2 phut)
4. Giu mot terminal tail -f /var/log/fail2ban.log trong ngay dau de quan sat
5. Sau 24-48 gio, kiem tra lai va dieu chinh maxretry/bantime neu can

Neu ban chua doc bai bao mat wp-config.php 12 cau hinh thi nen doc them de bao ve WordPress o tang ung dung. Fail2Ban bao ve o tang server, wp-config hardening bao ve o tang code – ca hai cung di lien voi nhau.

Neu ban gap loi gi trong qua trinh cai dat, cu de lai comment ben duoi, minh se giup.