** Gavin Westwood <bitfolk-lists-2015@???> [2019-11-05 16:11]:
> On 05/11/2019 12:38, Paul Tansom wrote:
> > ** Jon Spriggs <jon@???> [2019-11-04 19:51]:
> >> Rather than disabling XMLRPC, there's a plugin called "*Disable XML-RPC
> >> Pingback*" which might be better. XML-RPC is primarily used by Wordpress
> >> client applications (like the Mobile App), and Jetpack (the wordpress.com
> >> plugin pack).
> > ** end quote [Jon Spriggs]
> >
> > I have had issues with RPC and WordPress, and still get regular
> > probes/connections. I did have the Disable XML-RPC Pingback plugin for a while,
> > but I've removed it now as I have Fail2ban doing the job. It seems to be kept
> > quite busy, but is clearly doing its job, and has the benefit of allowing
> > Jetpack to function if you want to connect with that.
>
> Would you mind sharing the rule you use for this? As a Wordpress and
> fail2ban user myself it does sound a better solution to me.
** end quote [Gavin Westwood]
I set this up in 2014 by the looks of it. I can't remember where I got the
reference info from, but I've got a file I ended up calling wp-xmlrpc.conf in
the /etc/fail2ban/filter.d directory (Ubuntu 18.04). That may be unecessary
detail.
The content is:
--
# Fail2Ban configuration file
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = wp-xmlrpc
# Option: failregex
# Notes.: regex to match repeated xmlrpc attacks. The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P[\w\-.^_]+)
# Values: TEXT
#
failregex = \s.*\s.POST /xmlrpc.php HTTP/1.1"*.\s.*
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
and /etc/fail2ban/jail.local
[wp-xmlrpc]
enabled = true
filter = wp-xmlrpc
action = iptables-multiport[name=wp-xmlrpc, port="80,443", protocol=tcp]
sendmail-whois[name=wp-xmlrpc, dest=email@???]
logpath = /home/*/logs/access_log
maxretry = 10
findtime = 60
bantime = 3600
--
I am no expecting somebody to point out an error :-)
--
Paul Tansom | Aptanet Ltd. |
https://www.aptanet.com/ | 023 9238 0001
=============================================================================
Registered in England | Company No: 4905028 | Registered Office: Ralls House,
Parklands Business Park, Forrest Road, Denmead, Waterlooville, Hants, PO7 6XP
