Yesterday I checked my blog and got “Request timed out”. As you can guess from the title I become a victim of XML RPC exploit. There a lot of info on Internet describing what XML RPC exploit is and how to defend your blog. I will describe how I fought that attack myself. Well, with the help from mighty Google search 🙂
So when I logged into my AWS instance the first symptom was high CPU load from httpd. Which is not very surprising for t2.micro instance type 🙂 Then I checked /var/log/httpd/access_log and found tons of events like this:
191.96.249.80 - - [14/Oct/2016:20:03:56 +0000] "POST /xmlrpc.php HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
The first mitigation is to disable access to /xmlrpc.php in .htaccess:
Redirect 301 /xmlrpc.php http://127.0.0.1
That reflects the attacker and unloads your server so you can log in to WordPress admin console. The next thing is to shield your WordPress from similar attacks.
For that I installed WP Fail2Ban Redux plugin which logs all malicious events (including xmlrpc) to system log so they can be analyzed by Fail2ban service. Then I installed actual fail2ban service using yum and copied configurations from plugin’s folder. Note that you have to specify correct path to system log file plus default configuration does not actually ban (in Amazon Linux at least). Here is my local.jail for WordPress:
[wordpress-hard] enabled = true filter = wordpress-hard logpath = /var/log/messages maxretry = 2 action = iptables-multiport[name=WordPress, port="http,https", blocktype=DROP] [wordpress-soft] enabled = true filter = wordpress-soft logpath = /var/log/messages maxretry = 5 action = hostsdeny
Basically these rules will block furious attacker using firewall (by dropping tcp packets). The wordpress-soft rule is about password attack and it just adds host to the hosts.deny for 10 minutes (default ban time). After that you can remove redirect rule from .htaccess if you need xmlrpc feature. I will keep it disabled…
You acttually make it seem so easy with youur presentation but I find this matter to be actually something
that I think I would never understand. It seems too complicatted and vry broad for me.
I am looking forward for your next post, I’ll try too get the hang of it!
skripsi manajemen ekonomi
Pretty! This has been an extremely wonderful post.
Many thanks for providing this info.
info beasiswa s1 2016
Superb site you have here but I was curious if you knew of any
community forums that cover the same topics discussed here?
I’d really love to be a part of online community where I can get feedback from other
experienced individuals that share the same interest.
If you have any recommendations, please let me know.
Thanks!
I have noticed you don’t monetize your site, don’t waste your traffic, you can earn additional bucks every month because you’ve
got high quality content. If you want to know how to make extra bucks, search for:
Mertiso’s tips best adsense alternative
I’ve been browsing online more than 2 hours today,
yet I never found any interesting article like yours.
It is pretty worth enough for me. Personally, if all webmasters and bloggers made good content as you did, the internet will be much more
useful than ever before.
Highly descriptive post, I loved that bit. Will there be a part 2?
Your styâ…¼e Ñ–s really unique â…½omparеd to other folks I’ve reaÔ€ stuff from.
Many thanks for posting when yß‹u’vе got the opportunitу,
Guess I’ll just bookmark this page.