For the past few weeks I've been experiencing some sort of attack that's been slowing my site a ton. Checking the access log shows things like this:
Code: 92.222.33.207 - - [02/Apr/2015:14:40:04 -0400] "POST /xmlrpc.php HTTP/1.0" 200 663 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
92.222.33.207 - - [02/Apr/2015:14:40:04 -0400] "POST /xmlrpc.php HTTP/1.0" 200 663 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
92.222.33.207 - - [02/Apr/2015:14:40:04 -0400] "POST /xmlrpc.php HTTP/1.0" 200 663 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
92.222.33.207 - - [02/Apr/2015:14:40:04 -0400] "POST /xmlrpc.php HTTP/1.0" 200 663 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
92.222.33.207 - - [02/Apr/2015:14:40:04 -0400] "POST /xmlrpc.php HTTP/1.0" 200 663 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
92.222.33.207 - - [02/Apr/2015:14:40:04 -0400] "POST /xmlrpc.php HTTP/1.0" 200 663 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
92.222.33.207 - - [02/Apr/2015:14:40:04 -0400] "POST /xmlrpc.php HTTP/1.0" 200 663 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
92.222.33.207 - - [02/Apr/2015:14:40:05 -0400] "POST /xmlrpc.php HTTP/1.0" 200 663 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
92.222.33.207 - - [02/Apr/2015:14:40:05 -0400] "POST /xmlrpc.php HTTP/1.0" 200 663 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
92.222.33.207 - - [02/Apr/2015:14:40:05 -0400] "POST /xmlrpc.php HTTP/1.0" 200 663 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
92.222.33.207 - - [02/Apr/2015:14:40:06 -0400] "POST /xmlrpc.php HTTP/1.0" 200 663 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
92.222.33.207 - - [02/Apr/2015:14:40:06 -0400] "POST /xmlrpc.php HTTP/1.0" 200 663 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
92.222.33.207 - - [02/Apr/2015:14:40:06 -0400] "POST /xmlrpc.php HTTP/1.0" 200 663 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
92.222.33.207 - - [02/Apr/2015:14:40:06 -0400] "POST /xmlrpc.php HTTP/1.0" 200 663 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
92.222.33.207 - - [02/Apr/2015:14:40:06 -0400] "POST /xmlrpc.php HTTP/1.0" 200 663 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
92.222.33.207 - - [02/Apr/2015:14:40:07 -0400] "POST /xmlrpc.php HTTP/1.0" 200 663 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
After doing some Googling I tried implementing quick fixes by adding the following to my functions.php:
Code: add_filter('xmlrpc_enabled', '__return_false');
add_filter( 'xmlrpc_methods', 'remove_xmlrpc_pingback_ping' );
function remove_xmlrpc_pingback_ping( $methods ) {
unset( $methods['pingback.ping'] );
return $methods;
}
add_action( 'xmlrpc_call', 'fail2ban_pingback_hook' );
function fail2ban_pingback_hook($call) {
if ('pingback.ping' == $call) {
openlog('wordpress('.$_SERVER['HTTP_HOST'].')', LOG_NDELAY|LOG_PID, LOG_AUTHPRIV);
syslog(LOG_NOTICE,"Pingback requested from ".$_SERVER['REMOTE_ADDR']);
}
}
add_filter( 'xmlrpc_pingback_error', 'fail2ban_pingback_error_hook', 1 );
function fail2ban_pingback_error_hook($ixr_error) {
if ( $ixr_error->code === 48 ) return $ixr_error; // don't punish duplication
openlog('wordpress('.$_SERVER['HTTP_HOST'].')', LOG_NDELAY|LOG_PID, LOG_AUTHPRIV);
syslog(LOG_NOTICE,"Pingback error ".$ixr_error->code." generated from ".$_SERVER['REMOTE_ADDR']);
return $ixr_error;
}
This seemed to improve the speeds for a little bit, but checking the logs showed that I was still getting hit with a ton of POST requests as shown above and the server's CPU use has been affected negatively as a result.
Manually blocking the IP address that is making these requests fixes the issues, but only temporarily as the attacker comes back a few hours later with a new IP.
Would anyone be able to point me in the right direction for setting up fail2ban properly so that it will automatically ban abusive IPs?
Thanks.
|