Any problems with use of htaccess method?

BEGIN protect xmlrpc.php

<files xmlrpc.php> order allow,deny deny from all </files>

END protect xmlrpc.php

[]'s

XML-RPC DDoS Protection for Web Servers with ModSecurity and Iptables

Victim’s Web Server under XML-RPC DDoS attack:

213.189.55.149 victim.com- [29/Jun/2015:12:50:35 +0700] "GET /index.php HTTP/1.0" 400 1905 "-" "WordPress/3.9.6; http://www.gamesbase24.com; verifying pingback from 54.169.67.213" 5.001
194.58.92.216 victim.com - [29/Jun/2015:13:11:51 +0700] "GET / HTTP/1.0" 400 1905 "-" "WordPress/3.5; http://mygoldpartners.ru" 5.001

Mitigation

ModSecurity rule:

SecAction "id:1,phase:1,t:none,pass,nolog,initcol:global=global,initcol:ip=%{remote_addr}"
SecRule REQUEST_HEADERS:User-Agent "(wordpress|pingback)" "id:12,phase:1,t:lowercase,exec:/etc/exec/pingback.sh,deny,status:400"

Pingback.sh:

#!/bin/bash
/bin/echo +$REMOTE_ADDR >/proc/net/xt_recent/PINGBACK

Iptables rule:

-A INPUT -p tcp -m tcp --dport 80 -m recent --update --seconds 2592000 --hitcount 1 --name PINGBACK --rsource -j DROP

If you are using Nginx, add it to VirtualHost config

if ($http_user_agent ~* (WorPress|pingback) ) {
        return 444;
}

Source: http://forum.ceh.vn/Bao-toan-server-truoc-cuoc-DDOS-thong-qua-lo-hong-xmlrpcphp-cua-WordPress-thread-7330.ceh

Blocking XML-RPC is a great move for 99% of WordPress sites. However, installing the Jetpack plugin is generally a bad idea and will cause added performance and security issues.

https://www.littlebizzy.com/blog/disable-xml-rpc

location = /xmlrpc.php {
    deny all;
    }

The above “equals” sign may be necessary to deny requests to the xmlrpc.php file, and is truly the only smart way to disable it. Plugins and application-level blocking is only asking for trouble as it can be circumvented, depends on your site stability, and so forth.

So far our site was attacked from a small number of IPs, not a full-scale botnet, and we’ve had one short interval of downtime. So instead, I blocked more than 2 consecutive retries using fail2ban with a long bantime, only slightly modified from an answer on stackoverflow or somewhere similar:

/etc/fail2ban/filter.d/xmlrpc.conf (new file)

[Definition]
failregex = ^<HOST> .*POST .*xmlrpc\.php.*
ignoreregex =

/etc/fail2ban/jail.local (appended to the existing file)

[xmlrpc]
enabled = true
filter = xmlrpc
action = iptables[name=xmlrpc, port=http, protocol=tcp]
logpath = /var/log/apache2/access.log
bantime = 600000
maxretry = 2
findtime = 6000

This works like a charm. The question is: is this a robust enough solution if our traffic scales up? I wnated to avoid blocking the file completely as it might be important for WP functionality.

Hi,

I suspect the method 2 “Enabling block-xmlrpc with a2enconf” does not work!

These are the steps I did. Step 1. Rebuilt my droplet with “One-Click Install WordPress on Ubuntu 14.04”. Step 2. Updated Ubuntu Step 3. Setup wordpress Step 4. Run “sudo a2enconf block-xmlrpc”, I got these warnings:

perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LC_CTYPE = "UTF-8",
LANG = "en_US.UTF-8"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
Enabling conf block-xmlrpc.
To activate the new configuration, you need to run:
service apache2 reload

Please note that there is “Enabling conf block-xmlpc”.

Step 5. After some hours, I still got http status code of 200. First 6 entries are listed below. Two of them are 200. Others are 301.

5.178.68.254 - - [10/Mar/2016:11:46:01 -0500] "POST /xmlrpc.php HTTP/1.1" 301 573 "http://bb.com/xmlrpc.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.11) Gecko/20070502 Firefox/1.5.0.11 Flock/0.7.13.1"
5.178.68.254 - - [10/Mar/2016:11:46:42 -0500] "POST / HTTP/1.1" 200 6163 "http://bb.com/xmlrpc.php" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.11) Gecko/20070502 Firefox/1.5.0.11 Flock/0.7.13.1"
89.47.29.92 - - [10/Mar/2016:12:21:53 -0500] "POST /xmlrpc.php HTTP/1.0" 301 524 "http://www.hh.com/" "PHP/5.2.03"
75.103.70.22 - - [10/Mar/2016:15:20:45 -0500] "POST /xmlrpc.php HTTP/1.0" 301 512 "-" "-"
5.178.68.254 - - [10/Mar/2016:15:38:58 -0500] "POST /xmlrpc.php HTTP/1.1" 301 573 "http://bb.com/xmlrpc.php" "Mozilla/5.0 (X11; U; Linux x86_64; es-ES; rv:1.9.1.8) Gecko/20100216 Fedora/3.5.8-1.fc11 Firefox/3.5.8"
5.178.68.254 - - [10/Mar/2016:15:39:44 -0500] "POST / HTTP/1.1" 200 6165 "http://bb.com/xmlrpc.php" "Mozilla/5.0 (X11; U; Linux x86_64; es-ES; rv:1.9.1.8) Gecko/20100216 Fedora/3.5.8-1.fc11 Firefox/3.5.8"

(I changed the domain names above for privacy reason.)

Step 6. Finally I rebuilt the droplet again, and this time with method 3 “Manually Blocking All XML-RPC Traffic”. Now all I got are 403.

My question is: Does method 2 work? It seems it is NOT working! I created a ticket for support and they also believe it is not working too.

ps: I tried many fixes to locale warning, but the problem is still there.

You can also install the iQ Block Country plugin. This allows you to deny requests to xmlrpc.php but also to your entire backend. You can allow only your own country for instance. Or block all countries and only allow your own ip address(es).

You can also block countries from visiting your frontend. So if you need some kind of geo fencing around your content you can do this. Or perhaps you just get a lot of spammy comments on your blogs from certain countries then you can block these as well.

I have followed the step 3 and I still having the same issue :S. I have the problem as I can see in my log file, and also everytime I restart the server the website works for some seconds but back the message “Error establishing a database connection”. Any idea what is going on with this?

An easy temporary fix is to IP ban all the offenders.

First get their IPs:

 fgrep '"POST /xmlrpc.php HTTP/1.0" 200 791 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"' /var/log/apache2/access.log | cut -d' ' -f1 | sort | uniq

159.122.224.173 185.103.252.170 185.130.4.120 185.130.4.197 185.82.202.52 5.196.199.230

Then ban them:

iptables -I INPUT -s 159.122.224.173 -j DROP

etc

Method 3 worked great for me, thanks! I am not too linux savvy but the one additional step I had to do to get it to work was restart MySQL altogether…“service mysql stop” then “service mysql start”.

Thank god for this tutorial, I was losing a bunch of money with my web site down.

hi dear i can’t access my droplet it shows as power on but in ping status of server ip address giving request time out :( please help me to how to fix it as soon as possible :(

Jetpack doesn’t help

To author, Thank for such informative article. To comment authors (below), amazing workarounds - thanks!.

Here is yet another alternative, essentially it blocks all outside traffic destined for critical files such as xmlrpc.php etc and white-lists internal traffic ( 10.10.x.x )… place this inside your vhost file.

<Directory /websites/www.example.com/www>
        Options FollowSymLinks MultiViews
                AllowOverride All
                Order Deny,Allow
                Allow from all

## WordPress Related Directives ##
        # Restrict access to error_logs, login, setup-config, xmlrpm, php.ini, and htaccess/htpasswds.
        <FilesMatch "^.*(error_logs|login|setup-config\.php|xmlrpc\.php|\.[hH][tT][aApP].*)$">
                Order deny,allow
                Deny from all
                Allow from 10.10.
        </FilesMatch>

        # Restrict access to wp-*.php
        <FilesMatch "^(wp-.*|php|php5)\.(php|php5|ini)$">
                order deny,allow
                deny from all
                allow from 10.10.
        </FilesMatch>

        # Allow Plugins to access to this file
        <Files admin-ajax.php>
                #order allow,deny
                #allow from all
                #satisfy any
                order deny,allow
                deny from all
                allow from 10.10.
        </Files>
        ## END OF WordPress Related Files Directives ##

</Directory>

Thanks for the info. Editing my apache2.conf as noted in Method 3 worked well for me. The hardest part was just realizing what the issue was in the first place, but I guess I should’ve suspected malicious activity when my server started getting slow/inaccessible without a traffic increase or a configuration change.

am blocked my xml-rpc in last days i think now pinging service is not indexing mee … is it possible bcz in past days i got a index in seconds after posting … how to enabled again blocked xmlrpc …

I did " block-xmlrpc with a2enconf " following method 2. but I want to unblock it. What should I put?

I used Putty when I did.

I really wanted to send a small word to say thanks to you for the fantastic points you are writing on this site. flip diving

I have been receiving unwanted traffic from RSS FEED , I tried disabling it from the functions.php but with no luck. My site shows 504 and 502 Gateway Error.

I followed your tutorial and it still has no effect, my CPU Graph shows 100 % resource usage…

My access.log files gives this :

1.186.37.141 - - [26/Jan/2017:17:39:17 +0545] “GET /feed/?post_type=job_listing HTTP/1.1” 502 568 “-” “Mozilla/5.0 (Linux; Android 4.4.2; Aqua Y4 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Mobile Safari/537.36” 115.164.222.149 - - [26/Jan/2017:17:39:17 +0545] “GET /feed/?post_type=job_listing HTTP/1.1” 502 568 “-” “Mozilla/5.0 (Linux; Android 5.1.1; SM-J120G Build/LMY47X; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/51.0.2704.81 Mobile Safari/537.36” 37.37.65.168 - - [26/Jan/2017:17:39:17 +0545] “GET /feed/?post_type=job_listing HTTP/1.1” 502 568 “-” “Mozilla/5.0 (Linux; Android 5.1; Lenovo A2010-a Build/LMY47D; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/46.0.2490.76 Mobile Safari/537.36” 1.186.37.141 - - [26/Jan/2017:17:39:17 +0545] “GET /feed/?post_type=job_listing HTTP/1.1” 499 0 “-” “Mozilla/5.0 (Linux; Android 4.4.2; Aqua Y4 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Mobile Safari/537.36”

I would like to block " /feed/?post_type=job_listing" How do I do it ?

Please Help…

Thank You.

My site constantly being attacked using xmlrpc.phpI want block it, but does this will affect site function ? site is : dealslama.com

For me it does not work without the = sign!

Please update the article.

Here is the correct code:

location = /xmlrpc.php { deny all; } # protect against brute force attack

I was hit by the same issue a few days ago and my site was not working but thanks to your step by step tutorial. It helped me a bundle.