There’s a well known DDoS attack against Wordpress which goes after a file in
the core system called xmlrpc.php. I modeled the jail after my successful
wp-auth set up. It doesn’t seem to work.
kill-xmlrpc.conf
-----------------
[Definition]
failregex = ^<HOST> .* "POST .*xmlrpc.php HTTP/1.1"
#ignoreregex =
Jail
----
[kill-xmlrpc]
enabled = true
port = http,https
filter = kill-xmlrpc
action = iptables[name=kill-xmlrpc, port=http, protocol=tcp]
sendmail-whois[name=kill-xmlrpc, [email protected]]
logpath = /etc/httpd/logs/domains/*access.log
maxretry =2
findtime = 1200
bantime = 86400
This is what I see in my access log.
89.248.171.135 - - [14/Jul/2015:21:59:09 -0400] "POST /xmlrpc.php HTTP/1.0" 403
291 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
89.248.171.135 - - [14/Jul/2015:21:59:10 -0400] "POST /xmlrpc.php HTTP/1.0" 403
291 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
89.248.171.135 - - [14/Jul/2015:21:59:25 -0400] "POST /xmlrpc.php HTTP/1.0" 403
291 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)”
I tested the regex. It looks okay, I think.
[root@fortapache fail2ban]# fail2ban-regex
"/etc/httpd/logs/domains/*access.log" "/etc/fail2ban/filter.d/kill-xmlrpc.conf"
Running tests
=============
Use failregex file : /etc/fail2ban/filter.d/kill-xmlrpc.conf
Use single line : /etc/httpd/logs/domains/*access.log
Results
=======
Failregex: 0 total
Ignoreregex: 0 total
Date template hits:
Lines: 1 lines, 0 ignored, 0 matched, 1 missed
|- Missed line(s):
| /etc/httpd/logs/domains/*access.log
------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
