AWS too many requests, Block IP addresses
If you're running a WordPress site on an Amazon EC2 instance, you might have encountered the dreaded "AWS too many requests" error, where your IP address gets temporarily blocked due to excessive requests. This can happen due to various reasons, such as brute-force attacks on your WordPress admin login or abusive traffic from bots. In this article, we'll walk through the steps to configure fail2ban on an Amazon Linux AMI to effectively mitigate these issues and protect your server.
Step 2: Configure jail.local
and wordpress.conf
This configuration will work for both HTTPS and HTTP, and will protect against wp-login
and xml-rpc
attacks.
First, let's create the jail.local
file:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Now, edit the /etc/fail2ban/jail.local
file and add the following configuration at the bottom:
[wordpress]
enabled = true
port = http,https
action = iptables-multiport[name="wordpress", port="http,https", protocol="tcp"]
# Uncomment if you want emails when someone is banned:
# sendmail-whois[name=fail2ban-wp-bruteforce, dest="your-email@yourdomain.com"]
filter = wordpress
logpath = /var/log/httpd/*access_log
maxretry = 5
Next, create and edit the /etc/fail2ban/filter.d/wordpress.conf
file:
[Definition]
failregex = ^<HOST> - - .* "POST .*(wp-login.php|xmlrpc.php) HTTP/.*" (200|401|403)
failregex = ^<HOST> - - .* "GET .*(wp-login.php|xmlrpc.php) HTTP/.*" (200|401|403)
ignoreregex =
Note: If you're using .htaccess
rules to return 403 for any wp-admin/*
resources originating from non-whitelisted IPs (as described in Step 7 of How to Lock WordPress Admin Login with .htaccess Rules), you can safely remove |403
from the regexes.
Related Note: "scoreboard is full" errors may indicate a DDoS attack. Another symptom of DDoS attacks may be a flood of errors in /var/log/httpd/error_log
and/or /var/log/httpd/ssl_error_log
that look like this:
[Sun Apr 15 09:10:47.038565 2018] [mpm_worker:error] [pid 2847:tid 140053879679040] AH00288: scoreboard is full, not at MaxRequestWorkers
This sent me on a wild goose chase until I correlated the above errors with the access_log
errors discussed in this question; thought it was worth a mention.
Step 3: Restart fail2ban and test the configuration
After saving the configuration files, restart the fail2ban service:
systemctl restart fail2ban
You can verify that the configuration is working by checking the fail2ban logs:
tail -n 20 /var/log/fail2ban.log
You should see log entries indicating that fail2ban is monitoring the WordPress-related log files and taking action when necessary.
Conclusion
By following these steps, you should be able to effectively mitigate the "AWS too many requests" issue and protect your WordPress site running on an Amazon EC2 instance. The combination of fail2ban and .htaccess
rules provides a robust defense against brute-force attacks and abusive traffic, helping to ensure the security and availability of your web application.
If you're still experiencing issues or need further assistance, consider using a comprehensive web analytics and optimization tool like Flowpoint.ai, which can help you identify and address a wide range of technical, UX, and content-related issues that may be impacting your website's performance and conversion rates.