How to block xml-rpc attacks for all domains?

September 19, 2019 235 views
Apache WordPress

I want to block access to xmlrpc.php to all traffic on all dozen or so sites hosted on my droplet– Ubuntu 16.04, Apache.
I used this command to search for attempts to access this file:

grep xmlrpc /var/log/apache2/access.log

And I found that I’m getting traffic to it every few seconds. Many, many log entries. I don’t use Jetpack or any other plugins that use this, so I decided to simply block all access. So I went to each vhost configuration file and added the following:

<files xmlrpc.php>
order allow,deny
deny from all
</files>

(Later, I realized that I could have just blocked it for all sites from the apache2.conf file.)

I modified all conf files and restarted Apache, then I searched again, and found that I’m still getting traffic. The result is 403 forbidden, but it’s still happening, every few seconds. It’s been days now and the traffic continues. Is that normal? Will this attack stop eventually? Even though it’s not resulting in out-of-memory errors anymore, is it still harmful?

1 Answer

Hey, @kelseybarmettler

It’s good that you’ve blocked the xmlrpc attack using the Apache configuration file, because in this way you’re protecting all of your sites again this attacks.

If you’re seeing 403 statuses in the access logs, then you’re safe. The memory usage will not be the same if they were able to access the files (status 200). However it’s still really annoying that the attack is still ongoing and I understand your frustration here.

Unfortunately the brute force attacks on wp-login.php and the xmlrpc.php are still widely used against shared and dedicated hosting servers. They’re proven to work and that’s why people are still doing this all the time. However there is still something you can do in order to protect yourself.

What you can do is to simply block the IP addresses from which the xmlrpc malicious requests are coming. I will advise you to block not only the IP addresses but also their respective IP ranges, because the attacks are likely to come from IPs sharing the same range/subnet. You can use iptables to block an entire range of IP addresses.

You can examine the access logs or use netstat or ss to see which IPs are getting the 403 access forbidden on the xmlrpc.php files. You can then check if more than IP from the same IP range is sending requests. You can easily check the IP range of an IP address using the whois command and look for the route: information.

The iptables command you can use to block an IP address or range is:

iptables -A INPUT -s IP-ADDRESS -j DROP
iptables -A INPUT -s x.x.x.0/24 -j DROP

Hopefully if the attack is coming from several IP ranges you will be able to block all the IPs which are still attacking your server. Have in mind that this might take a while and I’m speaking from experience. It’s not rare when the attack will resume from an entire different IP range originating from a whole different country, which is the next step you can take. If you do not expect business from a certain country and you can see in the access logs that a lot of IP addresses coming from the country in question, you can simply block the Country. If you’re interested in this option, you can have a look at this article where iptables is used alongside geoip addons:

https://linoxide.com/linux-how-to/block-ips-countries-geoip-addons/

If you have any questions, feel free to ask! I hope this helps a bit.
Alex

  • Thanks for the thorough information! I will certainly do that. This reply was very helpful and I look forward to blocking all this malicious traffic.

Have another answer? Share your knowledge.