By phillong
Hey guys & girls
Am running apache 2.4.7 on Ubuntu Server 14.04 and Wordpress 4.5. ,PHP5.x? (Zend) sourced from a Bitmani LAMP Stack.
My apache web server is logging relentlessly attacks by what I presume are bots trying to brute force hack their way in through the xmlrpc php vulnerability:
I’ve followed the seemingly simple install and config of ‘failtoban’ which adds the IP of repeat offenders to you Iptables server firewall by analyzing the apache2 access log. So followed the widely available instructions and created a .local copy of /etc/failtoban/jail.conf and inserted the following jail space conditions.
[apache-xmlrpc]
enabled = true port = http, https filter = apache-xmlrpc action = iptables[name=XMLRP, port=http, protocol=tcp]
sendmail-whois[name=XMLRP, dest=me@example.com]
logpath = /opt/lampstack-5.5.30-1/apache2/logs/access_log maxretry = 3 bantime = 28800
However when I try to restart with 'failtoban’with this section is I get the following error:
ERROR Failed during configuration: File contains parsing errors: /etc/fail2ban/jail.local [line 211]: ’ enabled = true\n’ [line 212]: ’ port = http, https\n’ [line 213]: ’ filter = apache-xmlrpc\n’ [line 214]: ’ action = iptables[name=XMLRP, port=http, protocol=tcp]\n’ [line 216]: ’ logpath = /opt/lampstack-5.5.30-1/apache2/logs/access_log\n’ [line 217]: ’ maxretry = 3\n’ [line 218]: ’ bantime = 28800\n’
If I take OUT this section is starts fine but obviously will not be protecting me against these attacks.
Do you the think this is due to something weird in the way I’ve inserted the section in the editor with the newline \n append OR is there is problem with filter: /etc/fail2ban/filter.d/apache-xmlrpc.conf which is set-up like this OR is their a problem with resolving the waht I presume in the <HOST> environment variable?
[Definition] failregex = ^<HOST> .*POST .xmlrpc.php. ignoreregex =
The issue is that I ‘think’ its the route cause of a proliferation of apache forked child processes and that are causing my VPS to run out of memory. I think there are plugins at the WordPress level that will at least defend your application: but it seems like neater solution just to block these f**kers at the server firewall level.
I’m an amateur when it comes of Linux sysadmin so any ideas most gratefully received?
Phil
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Hi there!
I actually found this guide for xmlrpc + fail2ban. I tested it and it’s working great for me :)
http://xplus3.net/2013/05/09/securing-xmlrpc-wordpress/
If you have any further questions, do feel free to ask!
Kind Regards, Jarland
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and AI-native businesses
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.