Question

fail2ban parsing errors on insert of [apache-xmlrpc] jail filter.

Hey guys & girls

Am running apache 2.4.7 on Ubuntu Server 14.04 and Wordpress 4.5. ,PHP5.x? (Zend) sourced from a Bitmani LAMP Stack.

My apache web server is logging relentlessly attacks by what I presume are bots trying to brute force hack their way in through the xmlrpc php vulnerability:

I’ve followed the seemingly simple install and config of ‘failtoban’ which adds the IP of repeat offenders to you Iptables server firewall by analyzing the apache2 access log. So followed the widely available instructions and created a .local copy of /etc/failtoban/jail.conf and inserted the following jail space conditions.

[apache-xmlrpc]

enabled = true port = http, https filter = apache-xmlrpc action = iptables[name=XMLRP, port=http, protocol=tcp]

sendmail-whois[name=XMLRP, dest=me@example.com]

logpath = /opt/lampstack-5.5.30-1/apache2/logs/access_log maxretry = 3 bantime = 28800

However when I try to restart with 'failtoban’with this section is I get the following error:

ERROR Failed during configuration: File contains parsing errors: /etc/fail2ban/jail.local [line 211]: ’ enabled = true\n’ [line 212]: ’ port = http, https\n’ [line 213]: ’ filter = apache-xmlrpc\n’ [line 214]: ’ action = iptables[name=XMLRP, port=http, protocol=tcp]\n’ [line 216]: ’ logpath = /opt/lampstack-5.5.30-1/apache2/logs/access_log\n’ [line 217]: ’ maxretry = 3\n’ [line 218]: ’ bantime = 28800\n’

If I take OUT this section is starts fine but obviously will not be protecting me against these attacks.

Do you the think this is due to something weird in the way I’ve inserted the section in the editor with the newline \n append OR is there is problem with filter: /etc/fail2ban/filter.d/apache-xmlrpc.conf which is set-up like this OR is their a problem with resolving the waht I presume in the <HOST> environment variable?

[Definition] failregex = ^<HOST> .*POST .xmlrpc.php. ignoreregex =

The issue is that I ‘think’ its the route cause of a proliferation of apache forked child processes and that are causing my VPS to run out of memory. I think there are plugins at the WordPress level that will at least defend your application: but it seems like neater solution just to block these f**kers at the server firewall level.

I’m an amateur when it comes of Linux sysadmin so any ideas most gratefully received?

Phil


Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

Hi there!

I actually found this guide for xmlrpc + fail2ban. I tested it and it’s working great for me :)

http://xplus3.net/2013/05/09/securing-xmlrpc-wordpress/

If you have any further questions, do feel free to ask!

Kind Regards, Jarland