If any of you run Wordpress instances, or probably virtually any web
site, you've likely run into a scenario where you see calls to the
file xmlrpc.php in your web logs.
Here's what it relates to:
What is XML-RPC attack?
XML-RPC is a remote procedure call that uses XML for encoding and
HTTP for transport. WordPress is using XML-RPC for information
exchange between clients on the network.
Using this functionality, the attacker can send thousands of
brute-force attacks against your WordPress site in a very short time period.
The attacker will try to log in using the xmlrpc.php script with
random username/password combinations many times per minute, thus
affecting the brute-force attack on your WordPress site.
Another problem is that xmlrpc.php also allows the attacker to guess
hundreds of password combinations using only several HTTP requests.
This would also lead to a very high database load.
This could also bring your site down, displaying the "Error
establishing database connection" error.
Unless you are using XMLRPC, it's safe to assume anybody trying to
reference that URL on your server is a compromised computer looking
to attack/probe your network.
Now you could set up multiple F2B rules for each site you host, but I
have an alternative..
I have an interesting idea to address this issue for hosts that may
have multiple sites. We create our own xmlrpc.php file that writes
data on the HTTP_REFERER to a log file, that Fail2Ban monitors, and
then restricts access to all important ports on the PC.
I know just enough about F2B to half-way make stuff so I wouldn't
mind collaborating more with someone who is better at doing the F2B
configuration. Anybody want to help? Do you think this would be a
useful utility?
Here's how I imagine it works:
1. copy a special file: xmlrpc.php to whatever document root you
want to monitor - what the file does is when it's called, it dumps
the remote IP address to a particular log file monitored by a F2B
rule that immediately blocks the remote host
2. set up a rule in F2B that monitors the log file and employs the
appropriate block.
This way you simply copy that file into any of the sites you want to
monitor/protect. This could also be renamed as other files that
represent common attack vectors that don't conflict with existing
files on your server.
Thoughts? Anybody want to collaborate to help write up the
configuration? I can do the PHP coding - I could use some help with
the F2B rules.
- Mike
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
