5 Nov
2019
5 Nov
'19
6:10 p.m.
** Gavin Westwood <bitfolk-lists-2015(a)gavinwestwood.uk> [2019-11-05 16:11]:
On 05/11/2019 12:38, Paul Tansom wrote:
** end quote [Gavin
Westwood]
I set this up in 2014 by the looks of it. I can't remember where I got the
reference info from, but I've got a file I ended up calling wp-xmlrpc.conf in
the /etc/fail2ban/filter.d directory (Ubuntu 18.04). That may be unecessary
detail.
The content is:
--
# Fail2Ban configuration file
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = wp-xmlrpc
# Option: failregex
# Notes.: regex to match repeated xmlrpc attacks. The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P[\w\-.^_]+)
# Values: TEXT
#
failregex = \s.*\s.POST /xmlrpc.php HTTP/1.1"*.\s.*
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
and /etc/fail2ban/jail.local
[wp-xmlrpc]
enabled = true
filter = wp-xmlrpc
action = iptables-multiport[name=wp-xmlrpc, port="80,443", protocol=tcp]
sendmail-whois[name=wp-xmlrpc, dest=email(a)domain.net]
logpath = /home/*/logs/access_log
maxretry = 10
findtime = 60
bantime = 3600
--
I am no expecting somebody to point out an error :-)
--
Paul Tansom | Aptanet Ltd. | https://www.aptanet.com/ | 023 9238 0001
=============================================================================
Registered in England | Company No: 4905028 | Registered Office: Ralls House,
Parklands Business Park, Forrest Road, Denmead, Waterlooville, Hants, PO7 6XP
** Jon Spriggs <jon(a)sprig.gs> [2019-11-04
19:51]:
Would you mind sharing the rule you use for this? As a Wordpress and
fail2ban user myself it does sound a better solution to me. Rather than disabling XMLRPC, there's a
plugin called "*Disable XML-RPC
Pingback*" which might be better. XML-RPC is primarily used by Wordpress
client applications (like the Mobile App), and Jetpack (the wordpress.com
plugin pack).
** end quote [Jon Spriggs]
I have had issues with RPC and WordPress, and still get regular
probes/connections. I did have the Disable XML-RPC Pingback plugin for a while,
but I've removed it now as I have Fail2ban doing the job. It seems to be kept
quite busy, but is clearly doing its job, and has the benefit of allowing
Jetpack to function if you want to connect with that.