Limit xmlrpc.php to only specific web clients

Xmlrpc.php is very common target of attacks. In most cases you don’t need xmlrpc, but if you use third-party apps like WordPress for iPhone or android or other editors, then xmlrpc is the one who communicates between them and your WordPress installation. If you’ll be using it, it can be good idea to limit access to it only from “browsers” that you are using to access it. In case bellow, I’m using iPhone WordPress app.

When access to xmlrpc.php via iphone app, you’ll see that access log looks like this:

[11/Jun/2017:19:45:08 +0200] "POST /xmlrpc.php HTTP/2.0" 200 462 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) Mobile/14F89 wp-iphone/7.7"

From this you can see that wp-iphone/7.7 is named as client. So this will be our key for nginx configuration. We’ll make rule that will only accept requests to xmlrpc.php from clients containing string “wp-iphone”. Other clients will be denied. This is not bulletproof of as web client can be easily spoofed, but it should block majority of attacks.

location = /xmlrpc.php {
if ($http_user_agent !~* "wp-iphone")
{
return 403;
}
include fastcgi_params;
fastcgi_pass 127.0.0.1:<your_php_fpm_port>;
}

Icinga/Nagios plugin for http brute force detection

When dealing with web servers where there are a lot of web sites, especially WordPresses, Joomlas etc., it is very common problem to dealing with flood/brute force attacks. One of most common for example, is generating massive requests on wp-login.php, or xmlrpc.php. With brute force, attackers goal is usually gaining access to administration. This is the simplest kind of method to gain access. Idea is very simple, attacker tries with a lot of different passwords and usernames, until it gets it right. Those operations of course, are automated by bots, scripts.

This can be very damaging for your server as it consumes a lot of memory. Every request means that someone just visited your website. When there is a script with bad intentions visiting your site, that means a lot of requests. Most modern web pages, every request like this, also makes database query. In most cases, server will become unresponsive, system will run out of memory, swap will fill up, mysql will stop responding.. This also means, that all websites on your server will stop working. In many cases, you’ll have to reboot your server to make it responsive again. Of course, there are systems that don’t allow this, like Cloud Linux with its LVE. One of great practices is to lock your administration to some static IP. There different ways.

Continue Reading

Directadmin – auto block IP with firewall on FreeBSD

I wanted to block IP adressess which Directadmin recognized as source of brute force attacks. There is documentation about this for Linux and FreeBSD. I’m using PF as firewall on my system and not IPFW. There is only documentation how to create this with IPFW. So here is a little tweak and IP’s are blocked with PF automatically. Here is how:

In /etc/pf.conf create new table spammers that will persist on file /etc/spammers.

table  persist file “/etc/spammers”

Create block rule so that IP addresses from spammers table will be blocked. Ifext is my network card so change this to your needs.

block drop in quick on $ifext from  to any

In /usr/local/directadmin/scripts/custom/ create new script block_ip.sh and add code below.

#!/bin/sh
echo “Blocking $ip with pf …
”;
pfctl -t spammers -T add $ip
echo $ip >> /etc/spammers
exit $?

As you can see we are using command pfctl -t spammers -T add $ip which is PF syntax. When IP will be recorded it will be immediately added to table spammers and file /etc/spammers that we’ll create in next step. When pf restarts, rule is deleted from ram. But in this case IP is also stored in file /etc/spammers so it will be loaded in spammers table.

Create file /etc/spammers and save it. Thats were blocked IP’s will save.
This script must be manualy started from Directadmin administration. We can make it to run automatically. In /usr/local/directadmin/scripts/custom/ create another script named brute_force_notice_ip.sh. As specified in directadmin documentation you do that like so:

cd /usr/local/directadmin/scripts/custom
wget http://files.directadmin.com/services/all/brute_force_notice_ip.sh
chmod 700 brute_force_notice_ip.sh

IP’s that are listed as source of brute force attacks will now be automaticly blocked with PF.

© 2017 geegkytuts.net
Hosted by Hosterdam


About author