Question

How to block xml-rpc attacks for all domains?

I want to block access to xmlrpc.php to all traffic on all dozen or so sites hosted on my droplet– Ubuntu 16.04, Apache. I used this command to search for attempts to access this file:

grep xmlrpc /var/log/apache2/access.log

And I found that I’m getting traffic to it every few seconds. Many, many log entries. I don’t use Jetpack or any other plugins that use this, so I decided to simply block all access. So I went to each vhost configuration file and added the following:

<files xmlrpc.php>
order allow,deny
deny from all
</files>

(Later, I realized that I could have just blocked it for all sites from the apache2.conf file.)

I modified all conf files and restarted Apache, then I searched again, and found that I’m still getting traffic. The result is 403 forbidden, but it’s still happening, every few seconds. It’s been days now and the traffic continues. Is that normal? Will this attack stop eventually? Even though it’s not resulting in out-of-memory errors anymore, is it still harmful?

Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

alexdo
Site Moderator
Site Moderator badge
September 19, 2019
Accepted Answer

Hey, @kelseybarmettler

It’s good that you’ve blocked the xmlrpc attack using the Apache configuration file, because in this way you’re protecting all of your sites again this attacks.

If you’re seeing 403 statuses in the access logs, then you’re safe. The memory usage will not be the same if they were able to access the files (status 200). However it’s still really annoying that the attack is still ongoing and I understand your frustration here.

Unfortunately the brute force attacks on wp-login.php and the xmlrpc.php are still widely used against shared and dedicated hosting servers. They’re proven to work and that’s why people are still doing this all the time. However there is still something you can do in order to protect yourself.

What you can do is to simply block the IP addresses from which the xmlrpc malicious requests are coming. I will advise you to block not only the IP addresses but also their respective IP ranges, because the attacks are likely to come from IPs sharing the same range/subnet. You can use iptables to block an entire range of IP addresses.

You can examine the access logs or use netstat or ss to see which IPs are getting the 403 access forbidden on the xmlrpc.php files. You can then check if more than IP from the same IP range is sending requests. You can easily check the IP range of an IP address using the whois command and look for the route: information.

The iptables command you can use to block an IP address or range is:

iptables -A INPUT -s IP-ADDRESS -j DROP

iptables -A INPUT -s x.x.x.0/24 -j DROP

Hopefully if the attack is coming from several IP ranges you will be able to block all the IPs which are still attacking your server. Have in mind that this might take a while and I’m speaking from experience. It’s not rare when the attack will resume from an entire different IP range originating from a whole different country, which is the next step you can take. If you do not expect business from a certain country and you can see in the access logs that a lot of IP addresses coming from the country in question, you can simply block the Country. If you’re interested in this option, you can have a look at this article where iptables is used alongside geoip addons:

https://linoxide.com/linux-how-to/block-ips-countries-geoip-addons/

If you have any questions, feel free to ask! I hope this helps a bit. Alex

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

card icon
Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Sign up
card icon
Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We’d like to help.

Learn more
card icon
Become a contributor

You get paid; we donate to tech nonprofits.

Learn more
Featured on Community
Kubernetes CourseLearn Python 3Machine Learning in PythonGetting started with GoIntro to Kubernetes
DigitalOcean Products
CloudwaysVirtual MachinesManaged DatabasesManaged KubernetesBlock StorageObject StorageMarketplaceVPCLoad Balancers
Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow – whether you’re running one virtual machine or ten thousand.

Learn more ->
DigitalOcean Cloud Control Panel
Get started for free

Enter your email to get $200 in credit for your first 60 days with DigitalOcean.

New accounts only. By submitting your email you agree to our Privacy Policy.

© 2023 DigitalOcean, LLC.