httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Miguel González <miguel_3_gonza...@yahoo.es>
Subject [users@httpd] blocking xmlrpc.php
Date Tue, 08 Mar 2016 10:36:27 GMT
Dear all,

  I have a Cpanel with Apache webserver running and I have seen many
xmlrpc accesses from fake Google bots. In my pursue of blocking those
connections I enable the following rules in my csf (iptables based
firewall):

iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent
--name wordpress-XMLRPC-firewall --update --seconds 10 --hitcount 3 -m
string --string 'GET /xmlrpc.php HTTP/1.1' --algo bm -j DROP

iptables -I INPUT -p tcp --dport 82 -m state --state NEW -m recent
--name wordpress-XMLRPC-firewall --update --seconds 10 --hitcount 3 -m
string --string 'GET /xmlrpc.php HTTP/1.1' --algo bm -j DROP

iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent
--name wordpress-XMLRPC-firewall --update --seconds 10 --hitcount 3 -m
string --string 'POST /xmlrpc.php HTTP/1.1' --algo bm -j DROP

iptables -I INPUT -p tcp --dport 82 -m state --state NEW -m recent
--name wordpress-XMLRPC-firewall --update --seconds 10 --hitcount 3 -m
string --string 'POST /xmlrpc.php HTTP/1.1' --algo bm -j DROP

In port 80 I have varnish and in port 82, my apache web server.

Now cpanel still reports a high cpu usage but no information (ips or
requests).



Srv	PID	Acc	M	CPU 	SS	Req	Conn	Child Slot	Client	VHost	Request
0-61	5251	0/929/5793	_ 	4698.00	102	461	0.0	16.11	117.25 	x.x.x.x		
0-61	5251	0/922/5832	_ 	4696.41	110	398	0.0	18.92	83.23 	x.x.x.x		
0-61	5251	0/946/5907	_ 	4699.11	4	919	0.0	23.19	111.11 	x.x.x.x		
0-61	5251	0/922/5843	_ 	4691.70	114	2882	0.0	16.46	98.01 	x.x.x.x	


I suspect that the previous connections trying to explote xmlrpc.php are
now just being logged and shown as "Waiting for connection".

Maybe the iptables rule should be different?

Thanks

Miguel

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message