0

I have an Ubuntu 12.04 machine running Apache2 which hosts about 10 wordpress websites.

Recently I have been subjected to attacks from clients which seem to be sending POST requests to a wordpress file called 'xmlrpc.php'

The way I block the IP addresses which send these malicious requests is a tedious manual process, and I want to automate this somehow.

Once I notice that my server load is high I perform he following actions:

  1. I run apachetop on all of my virtual host access files. This shows all requests being made so I can see if any requests are being made to xmlrpc.php

  2. Once I identify which IP's are attacking my server, I run the following command for each offending IP Address: sudo iptables -A INPUT -s 94.102.52.95 -j DROP

  3. When all IP address have been added to my block list, my server load immediately drops to normal levels

Is there a way to automate this process? I was thinking about writing some code within xmlrpc.php which will add any IP addresses to my block list for any IP that send requests for it. Does anyone have any idea on how to do this?

Thanks in advance!

Bob Flemming
  • 1,175
  • 3
  • 13
  • 17
  • 6
    fail2ban is the gold standard for this. – ceejayoz Sep 09 '13 at 15:18
  • You know exactly to fix this when it happens, and you seem to have the procedure pretty much standardized. If I were in your shoes, I would just write a script (BASH or PHP) to automate this workflow. I would avoid hard-coding something. – dlyk1988 Sep 09 '13 at 15:34
  • if you dont need this resource (xmlrpc.php) just make a Location-config for it an deny access. else: fail2ban or OSSEC. – that guy from over there Sep 11 '13 at 00:17

1 Answers1

0

I don't think blocking every IP is the solutions for this issue. The IP's doing POST actions are most likely infected/hacked PC's around the world. You will only flood your IPtables by blacklisting every one of them. If the WP site has been hacked I would suggest turning it offline and notifying the customer to clean the mess up and update all components.

You could install mod_security to prevent uploads of malicious code. You could also instruct mod_security to block POST requests too that specific page at all, it will return simply a 404, this will save you some load (and stop hacking).

If above still does not help and you want to block every IP (I would make sure you remove them after some time, to prevent huge iptables), you could make a script tailing the access.log and blocking the IP's (for example a shell script with a cronjob/sleep, or better: a nice daemon in perl/python).

Jeroen
  • 1,339
  • 7
  • 16
  • 2
    The nice daemon in python you mention has been written; it's called [fail2ban](http://fail2ban.org/). – xofer Sep 09 '13 at 15:43
  • Also along with mod_security, would probably be good to add [mod_evasive]http://www.zdziarski.com/blog/?page_id=442 – Travis Stoll Sep 09 '13 at 16:29