Linode Forum
Linode Community Forums 		 FAQFAQ    SearchSearch    MembersMembers      Register Register 
 LoginLogin [ Anonymous ] 
Post new topic  Reply to topic

Board index » Linux Community Forums » Linux Networking
  Print view Previous topic | Next topic 
Author Message
rdcalex
PostPosted: Thu Apr 02, 2015 2:49 pm 
Offline
Senior Newbie

Joined: Tue Jan 27, 2015 4:58 pm
Posts: 5
For the past few weeks I've been experiencing some sort of attack that's been slowing my site a ton. Checking the access log shows things like this:

Code:
92.222.33.207 - - [02/Apr/2015:14:40:04 -0400] "POST /xmlrpc.php HTTP/1.0" 200 663 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
92.222.33.207 - - [02/Apr/2015:14:40:04 -0400] "POST /xmlrpc.php HTTP/1.0" 200 663 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
92.222.33.207 - - [02/Apr/2015:14:40:04 -0400] "POST /xmlrpc.php HTTP/1.0" 200 663 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
92.222.33.207 - - [02/Apr/2015:14:40:04 -0400] "POST /xmlrpc.php HTTP/1.0" 200 663 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
92.222.33.207 - - [02/Apr/2015:14:40:04 -0400] "POST /xmlrpc.php HTTP/1.0" 200 663 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
92.222.33.207 - - [02/Apr/2015:14:40:04 -0400] "POST /xmlrpc.php HTTP/1.0" 200 663 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
92.222.33.207 - - [02/Apr/2015:14:40:04 -0400] "POST /xmlrpc.php HTTP/1.0" 200 663 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
92.222.33.207 - - [02/Apr/2015:14:40:05 -0400] "POST /xmlrpc.php HTTP/1.0" 200 663 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
92.222.33.207 - - [02/Apr/2015:14:40:05 -0400] "POST /xmlrpc.php HTTP/1.0" 200 663 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
92.222.33.207 - - [02/Apr/2015:14:40:05 -0400] "POST /xmlrpc.php HTTP/1.0" 200 663 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
92.222.33.207 - - [02/Apr/2015:14:40:06 -0400] "POST /xmlrpc.php HTTP/1.0" 200 663 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
92.222.33.207 - - [02/Apr/2015:14:40:06 -0400] "POST /xmlrpc.php HTTP/1.0" 200 663 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
92.222.33.207 - - [02/Apr/2015:14:40:06 -0400] "POST /xmlrpc.php HTTP/1.0" 200 663 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
92.222.33.207 - - [02/Apr/2015:14:40:06 -0400] "POST /xmlrpc.php HTTP/1.0" 200 663 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
92.222.33.207 - - [02/Apr/2015:14:40:06 -0400] "POST /xmlrpc.php HTTP/1.0" 200 663 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
92.222.33.207 - - [02/Apr/2015:14:40:07 -0400] "POST /xmlrpc.php HTTP/1.0" 200 663 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"


After doing some Googling I tried implementing quick fixes by adding the following to my functions.php:

Code:
add_filter('xmlrpc_enabled', '__return_false');

add_filter( 'xmlrpc_methods', 'remove_xmlrpc_pingback_ping' );
function remove_xmlrpc_pingback_ping( $methods ) {
    unset( $methods['pingback.ping'] );
    
    return $methods;
}

add_action( 'xmlrpc_call', 'fail2ban_pingback_hook' );
function fail2ban_pingback_hook($call) {
   if ('pingback.ping' == $call) {
      openlog('wordpress('.$_SERVER['HTTP_HOST'].')', LOG_NDELAY|LOG_PID, LOG_AUTHPRIV);
      syslog(LOG_NOTICE,"Pingback requested from ".$_SERVER['REMOTE_ADDR']);
   }
}

add_filter( 'xmlrpc_pingback_error', 'fail2ban_pingback_error_hook', 1 );
function fail2ban_pingback_error_hook($ixr_error) {
   if ( $ixr_error->code === 48 ) return $ixr_error; // don't punish duplication
   openlog('wordpress('.$_SERVER['HTTP_HOST'].')', LOG_NDELAY|LOG_PID, LOG_AUTHPRIV);
   syslog(LOG_NOTICE,"Pingback error ".$ixr_error->code." generated from ".$_SERVER['REMOTE_ADDR']);
   return $ixr_error;
}


This seemed to improve the speeds for a little bit, but checking the logs showed that I was still getting hit with a ton of POST requests as shown above and the server's CPU use has been affected negatively as a result.

Manually blocking the IP address that is making these requests fixes the issues, but only temporarily as the attacker comes back a few hours later with a new IP.

Would anyone be able to point me in the right direction for setting up fail2ban properly so that it will automatically ban abusive IPs?

Thanks.
Top
   
Reply with quote  
vonskippy
PostPosted: Thu Apr 02, 2015 3:18 pm 
Offline
Senior Member
User avatar

Joined: Sun Dec 27, 2009 11:12 pm
Posts: 1038
Location: Colorado, USA
That IP belongs to 92.0.0.0/8, so unless you do business in France, try blocking the whole range.

_________________
Either provide enough details for people to help, or sit back and listen to the crickets chirp.
Security thru obscurity is a myth - and really really annoying.
Top
   
Reply with quote  
rdcalex
PostPosted: Thu Apr 02, 2015 3:21 pm 
Offline
Senior Newbie

Joined: Tue Jan 27, 2015 4:58 pm
Posts: 5
That would be a quick solution, but looking back through my logs there are other IPs that have caused the same problem from different ranges such as 88.0.0.0. I'd rather implement some proper security than resort to mass banning if possible.
Top
   
Reply with quote  
Display posts from previous:  Sort by  
Post new topic  Reply to topic

Board index » Linux Community Forums » Linux Networking


Who is online

Users browsing this forum: No registered users and 2 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
RSS

Powered by phpBB® Forum Software © phpBB Group