I know, it’s not about DigitalOcean, but it might someone know the solution. I’m getting xmlrpc attack on Wordpress and it causes 100% CPU usage.
Anyone know the solution? I’ll be gratefull.
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Click below to sign up and get $100 of credit to try our products over 60 days!
I have a few web sites that have been subject to this attack since last night. I’ve blocked the IPs via iptables but the logs show the requests keep coming. Should these IPs be reported to DO Support? I would be surprised if my servers are the only ones affected and am surprised this traffic has not been seen and/or blocked by DO.
Try this.
I posted this on a similar question about xmlrpc.php and I found this page when searching for a solution to our problem. Hopefully this will help anyone else in the same boat:
Our solution uses fail2ban like the others, but with actions setup to use ufw commands since we love the simplicity of that firewall. Note that our log file is different from the default and includes the IP address the request was sent to first (other_vhosts_access.log), so remove the first “\S*” and space from regex for the normal access log. For some reason, this was the default when we set up the Wordpress droplet. YMMV.
No changes were required to Wordpress or any plugins to install. This does mean that fail2ban can’t actually tell if there was a failure, it just looks at how often those URLs were accessed.
HTH
Sources:
One quick thing you can do that should help, is to set up some firewalling and block the specific IP address that is making the connection. If you’re on Ubuntu, using
ufw
is the simplest way to manage IPTables firewalling. Check out this tutorial for all the info:The quick, TL;DR version is to first set up default rules allowing outgoing connections and denying incoming ones:
Then set up the ports you want open:
Finally, block the IP address and enable
ufw
:This should stop them for now. Of course, the people up to these kinds of unsavory things often manage switch up their IP addresses frequently. Doing this by hand over and over again is not desirable. You can set up fail2ban to do a lot of this for you automatically. For more information on how to do that, check out: