: Block IP requesting xmlrpc.php We have a firewall with modsecurity installed. I would like to write a rule to block any IP address for 24 hours if that IP requests xmlrpc.php. Please note that
We have a firewall with modsecurity installed. I would like to write a rule to block any IP address for 24 hours if that IP requests xmlrpc.php. Please note that we do not use WordPress on our platform but these requests are consuming huge amounts of traffic.
More posts by @Alves908
1 Comments
Sorted by latest first Latest Oldest Best
Standard .htaccess Block
I covered this a while back on my blog about stopping WP brute force attacks, you can IP block xmlrpc.php by using <Files>, or <FilesMatch, here's what I use:
<Files "xmlrpc.php">
Order Allow,Deny
deny from all
</Files>
The above code will block any requests that attempt to fetch that file.
Modsecurity
If you need more of an advanced solution that uses that mod_security then I recommend that you use rate limiting solution, something like this:
SOURCE
SecRuleEngine On
<LocationMatch "^/somepath">
SecAction initcol:ip=%{REMOTE_ADDR},pass,nolog
SecAction "phase:5,deprecatevar:ip.somepathcounter=1/1,pass,nolog"
SecRule IP:SOMEPATHCOUNTER "@gt 60" "phase:2,pause:300,deny,status:509,setenv:RATELIMITED,skip:1,nolog"
SecAction "phase:2,pass,setvar:ip.somepathcounter=+1,nolog"
Header always set Retry-After "10" env=RATELIMITED
</LocationMatch>
ErrorDocument 509 "Rate Limit Exceeded"
However, unless you actually use XMLRPC for real purposes, there should be no reason why you should use a rate limiter for a file that either doesn't exist, or isn't needed.
Fail2ban Rocks
If you have root access to your host then I strongly recommend Fail2ban, since its more flexible, has way more features and is lot easier to use than mod_security.
WordPress Users
Users that use both xmlrpc and WordPress should protect their wp-login.php since it is normally a bruteforce attack, therefore you should also make the extra effort to lock down your wp-login.php from also being attacked, I use this:
<FilesMatch "wp-login.php">
deny from all
# Broadband that changes IP ADDRESSES
# Change the below to the domain that your broadband IP resolves too
allow from .isp.com
# Broadband that IP does not change
allow from 1.1.1.1
</FilesMatch>
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.