Accueil > Réseau, Sécurité > Block WordPress xmlprc.php DDOS attacks using Fail2Ban

Block WordPress xmlprc.php DDOS attacks using Fail2Ban

Few days ago, my friend’s WordPress website went down. After investigation, I have figured out that it was receiving massive amount of posts requests to the xmlrpc.php file, which brings the apache and mysql to eat up all the system resources and the website crashed. Fortunately, I have figured out the way to mitigate this attack using Fail2Ban, which I’ll share in this post.

Install the Fail2Ban package using the following command:

apt-get install fail2ban iptables

1Make a local copy of jail.conf file for configuration change:

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

2

Open up the jail.local configuration file:

vi /etc/fail2ban/jail.local

3Add the following lines at the end (Change the logpath to match with yours):

[xmlrpc]
enabled = true
filter = xmlrpc
action = iptables[name=xmlrpc, port=http, protocol=tcp]
logpath = /var/log/apache2/access.log
bantime = 43600
maxretry = 2

4Move to the Fail2Ban’s filter directory:

cd /etc/fail2ban/filter.d/

5Here we need to create the filter to trigger an action with iptables:

vi xmlrpc.conf

6Add the following lines:

[Definition]
failregex = ^<HOST> .*POST .*xmlrpc\.php.*
ignoreregex =

7Restart the Fail2Ban service:

service fail2ban restart

8Check the Fail2Ban log and there you will find that it start banning the IP address if everything went well:

tail -f /var/log/fail2ban.log

9Hope this will help you!

Please Remember me in your prayers!

Source: Lazy Geek

Print Friendly, PDF & Email

Related Post

Les commentaires sont fermés.