You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Miguel González <mi...@yahoo.es> on 2016/03/08 11:36:27 UTC
[users@httpd] blocking xmlrpc.php
Dear all,
I have a Cpanel with Apache webserver running and I have seen many
xmlrpc accesses from fake Google bots. In my pursue of blocking those
connections I enable the following rules in my csf (iptables based
firewall):
iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent
--name wordpress-XMLRPC-firewall --update --seconds 10 --hitcount 3 -m
string --string 'GET /xmlrpc.php HTTP/1.1' --algo bm -j DROP
iptables -I INPUT -p tcp --dport 82 -m state --state NEW -m recent
--name wordpress-XMLRPC-firewall --update --seconds 10 --hitcount 3 -m
string --string 'GET /xmlrpc.php HTTP/1.1' --algo bm -j DROP
iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent
--name wordpress-XMLRPC-firewall --update --seconds 10 --hitcount 3 -m
string --string 'POST /xmlrpc.php HTTP/1.1' --algo bm -j DROP
iptables -I INPUT -p tcp --dport 82 -m state --state NEW -m recent
--name wordpress-XMLRPC-firewall --update --seconds 10 --hitcount 3 -m
string --string 'POST /xmlrpc.php HTTP/1.1' --algo bm -j DROP
In port 80 I have varnish and in port 82, my apache web server.
Now cpanel still reports a high cpu usage but no information (ips or
requests).
Srv PID Acc M CPU SS Req Conn Child Slot Client VHost Request
0-61 5251 0/929/5793 _ 4698.00 102 461 0.0 16.11 117.25 x.x.x.x
0-61 5251 0/922/5832 _ 4696.41 110 398 0.0 18.92 83.23 x.x.x.x
0-61 5251 0/946/5907 _ 4699.11 4 919 0.0 23.19 111.11 x.x.x.x
0-61 5251 0/922/5843 _ 4691.70 114 2882 0.0 16.46 98.01 x.x.x.x
I suspect that the previous connections trying to explote xmlrpc.php are
now just being logged and shown as "Waiting for connection".
Maybe the iptables rule should be different?
Thanks
Miguel
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] blocking xmlrpc.php
Posted by Miguel González <mi...@yahoo.es>.
On 03/08/16 1:34 PM, Yann Ylavic wrote:
> Hi,
>
> On Tue, Mar 8, 2016 at 11:36 AM, Miguel González
> <mi...@yahoo.es> wrote:
>>
>> I suspect that the previous connections trying to explote xmlrpc.php are
>> now just being logged and shown as "Waiting for connection".
>>
>> Maybe the iptables rule should be different?
>
> Did you try REJECT instead of DROP?
I´m going to :)
Thanks!
Miguel
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] blocking xmlrpc.php
Posted by Yann Ylavic <yl...@gmail.com>.
Hi,
On Tue, Mar 8, 2016 at 11:36 AM, Miguel González
<mi...@yahoo.es> wrote:
>
> I suspect that the previous connections trying to explote xmlrpc.php are
> now just being logged and shown as "Waiting for connection".
>
> Maybe the iptables rule should be different?
Did you try REJECT instead of DROP?
Regards,
Yann.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org