Yesterday I checked my blog and got “Request timed out”. As you can guess from the title I become a victim of XML RPC exploit. There a lot of info on Internet describing what XML RPC exploit is and how to defend your blog. I will describe how I fought that attack myself. Well, with the help from mighty Google search 🙂
So when I logged into my AWS instance the first symptom was high CPU load from httpd. Which is not very surprising for t2.micro instance type 🙂 Then I checked /var/log/httpd/access_log and found tons of events like this:
126.96.36.199 - - [14/Oct/2016:20:03:56 +0000] "POST /xmlrpc.php HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
The first mitigation is to disable access to /xmlrpc.php in .htaccess:
Redirect 301 /xmlrpc.php http://127.0.0.1
That reflects the attacker and unloads your server so you can log in to WordPress admin console. The next thing is to shield your WordPress from similar attacks.
For that I installed WP Fail2Ban Redux plugin which logs all malicious events (including xmlrpc) to system log so they can be analyzed by Fail2ban service. Then I installed actual fail2ban service using yum and copied configurations from plugin’s folder. Note that you have to specify correct path to system log file plus default configuration does not actually ban (in Amazon Linux at least). Here is my local.jail for WordPress:
[wordpress-hard] enabled = true filter = wordpress-hard logpath = /var/log/messages maxretry = 2 action = iptables-multiport[name=WordPress, port="http,https", blocktype=DROP] [wordpress-soft] enabled = true filter = wordpress-soft logpath = /var/log/messages maxretry = 5 action = hostsdeny
Basically these rules will block furious attacker using firewall (by dropping tcp packets). The wordpress-soft rule is about password attack and it just adds host to the hosts.deny for 10 minutes (default ban time). After that you can remove redirect rule from .htaccess if you need xmlrpc feature. I will keep it disabled…