: Block IP requesting xmlrpc.php We have a firewall with modsecurity installed. I would like to write a rule to block any IP address for 24 hours if that IP requests xmlrpc.php. Please note that

@Radia820

Standard .htaccess Block

I covered this a while back on my blog about stopping WP brute force attacks, you can IP block xmlrpc.php by using <Files>, or <FilesMatch, here's what I use:

<Files "xmlrpc.php">
Order Allow,Deny
deny from all
</Files>


The above code will block any requests that attempt to fetch that file.

Modsecurity

If you need more of an advanced solution that uses that mod_security then I recommend that you use rate limiting solution, something like this:


SOURCE

SecRuleEngine On

<LocationMatch "^/somepath">
SecAction initcol:ip=%{REMOTE_ADDR},pass,nolog
SecAction "phase:5,deprecatevar:ip.somepathcounter=1/1,pass,nolog"
SecRule IP:SOMEPATHCOUNTER "@gt 60" "phase:2,pause:300,deny,status:509,setenv:RATELIMITED,skip:1,nolog"
SecAction "phase:2,pass,setvar:ip.somepathcounter=+1,nolog"
Header always set Retry-After "10" env=RATELIMITED
</LocationMatch>

ErrorDocument 509 "Rate Limit Exceeded"



However, unless you actually use XMLRPC for real purposes, there should be no reason why you should use a rate limiter for a file that either doesn't exist, or isn't needed.

Fail2ban Rocks

If you have root access to your host then I strongly recommend Fail2ban, since its more flexible, has way more features and is lot easier to use than mod_security.

WordPress Users

Users that use both xmlrpc and WordPress should protect their wp-login.php since it is normally a bruteforce attack, therefore you should also make the extra effort to lock down your wp-login.php from also being attacked, I use this:

<FilesMatch "wp-login.php">
deny from all
# Broadband that changes IP ADDRESSES
# Change the below to the domain that your broadband IP resolves too
allow from .isp.com
# Broadband that IP does not change
allow from 1.1.1.1
</FilesMatch>

Vote Up Vote Down