You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Miguel González <mi...@yahoo.es> on 2016/03/08 11:36:27 UTC

[users@httpd] blocking xmlrpc.php

Dear all,

  I have a Cpanel with Apache webserver running and I have seen many
xmlrpc accesses from fake Google bots. In my pursue of blocking those
connections I enable the following rules in my csf (iptables based
firewall):

iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent
--name wordpress-XMLRPC-firewall --update --seconds 10 --hitcount 3 -m
string --string 'GET /xmlrpc.php HTTP/1.1' --algo bm -j DROP

iptables -I INPUT -p tcp --dport 82 -m state --state NEW -m recent
--name wordpress-XMLRPC-firewall --update --seconds 10 --hitcount 3 -m
string --string 'GET /xmlrpc.php HTTP/1.1' --algo bm -j DROP

iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent
--name wordpress-XMLRPC-firewall --update --seconds 10 --hitcount 3 -m
string --string 'POST /xmlrpc.php HTTP/1.1' --algo bm -j DROP

iptables -I INPUT -p tcp --dport 82 -m state --state NEW -m recent
--name wordpress-XMLRPC-firewall --update --seconds 10 --hitcount 3 -m
string --string 'POST /xmlrpc.php HTTP/1.1' --algo bm -j DROP

In port 80 I have varnish and in port 82, my apache web server.

Now cpanel still reports a high cpu usage but no information (ips or
requests).



Srv	PID	Acc	M	CPU 	SS	Req	Conn	Child Slot	Client	VHost	Request
0-61	5251	0/929/5793	_ 	4698.00	102	461	0.0	16.11	117.25 	x.x.x.x		
0-61	5251	0/922/5832	_ 	4696.41	110	398	0.0	18.92	83.23 	x.x.x.x		
0-61	5251	0/946/5907	_ 	4699.11	4	919	0.0	23.19	111.11 	x.x.x.x		
0-61	5251	0/922/5843	_ 	4691.70	114	2882	0.0	16.46	98.01 	x.x.x.x	


I suspect that the previous connections trying to explote xmlrpc.php are
now just being logged and shown as "Waiting for connection".

Maybe the iptables rule should be different?

Thanks

Miguel

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] blocking xmlrpc.php

Posted by Miguel González <mi...@yahoo.es>.

On 03/08/16 1:34 PM, Yann Ylavic wrote:
> Hi,
> 
> On Tue, Mar 8, 2016 at 11:36 AM, Miguel González
> <mi...@yahoo.es> wrote:
>>
>> I suspect that the previous connections trying to explote xmlrpc.php are
>> now just being logged and shown as "Waiting for connection".
>>
>> Maybe the iptables rule should be different?
> 
> Did you try REJECT instead of DROP?

I´m going to :)

Thanks!

Miguel


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] blocking xmlrpc.php

Posted by Yann Ylavic <yl...@gmail.com>.

Hi,

On Tue, Mar 8, 2016 at 11:36 AM, Miguel González
<mi...@yahoo.es> wrote:
>
> I suspect that the previous connections trying to explote xmlrpc.php are
> now just being logged and shown as "Waiting for connection".
>
> Maybe the iptables rule should be different?

Did you try REJECT instead of DROP?

Regards,
Yann.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org