1

We run a VPS server for where I work and a fair amount of our clients use WordPress, lately we’ve noticed a tonn of attacks come in for ‘xmlrpc.php’ so much that it shuts down our server. (so much to the point we need to log into a laggy SSH session and start issuing bans manually)

We then found a nice piece of software called Fail2Ban and I went and taught myself how to write a jail for it… how-ever it’s not fully working and some attacks are still getting by.

I’m wondering how these are getting by and would greatly appreciate any advice given!

Here is a copy of the jail that was made;

# wordpress-xmlrpc.conf
[INCLUDES]
before = common.conf

[Definition]
_daemon = wordpress
failregex = ^[a-zA-Z0-9\.]+ <HOST> .*/xmlrpc\.php.*
ignoreregex =

Here is a copy of whats inside the jail.conf for loading the jail;

[wordpress-xmlrpc]
enabled  = true
filter   = wordpress-xmlrpc
action   = iptables[name=WordPressXMLRPC, port=http, protocol=tcp]
           sendmail-whois[name=WordpressXMLRPC, dest=MY-EMAIL ADDRESS, sender=SERVER-ADMIN@SERVER.COM, sendername="Fail2Ban"]
logpath  = /var/log/httpd/access_log
maxretry = 5

And lastly here’s a copy of an attack that had gotten past the filter tonight;

www.WEBSITE-OF-CLIENT.com 198.XXX.XXX.138 - - [28/Dec/2014:23:34:25 -0600] "POST /xmlrpc.php HTTP/1.0" 200 435 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
www.WEBSITE-OF-CLIENT.com 198.XXX.XXX.138 - - [28/Dec/2014:23:34:27 -0600] "POST /xmlrpc.php HTTP/1.0" 200 435 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
www.WEBSITE-OF-CLIENT.com 198.XXX.XXX.138 - - [28/Dec/2014:23:34:25 -0600] "POST /xmlrpc.php HTTP/1.0" 200 435 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
www.WEBSITE-OF-CLIENT.com 198.XXX.XXX.138 - - [28/Dec/2014:23:33:54 -0600] "POST /xmlrpc.php HTTP/1.0" 200 435 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
www.WEBSITE-OF-CLIENT.com 198.XXX.XXX.138 - - [28/Dec/2014:23:34:19 -0600] "POST /xmlrpc.php HTTP/1.0" 200 435 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
www.WEBSITE-OF-CLIENT.com 198.XXX.XXX.138 - - [28/Dec/2014:23:34:24 -0600] "POST /xmlrpc.php HTTP/1.0" 200 435 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
www.WEBSITE-OF-CLIENT.com 198.XXX.XXX.138 - - [28/Dec/2014:23:34:23 -0600] "POST /xmlrpc.php HTTP/1.0" 200 435 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
www.WEBSITE-OF-CLIENT.com 198.XXX.XXX.138 - - [28/Dec/2014:23:34:21 -0600] "POST /xmlrpc.php HTTP/1.0" 200 435 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
www.WEBSITE-OF-CLIENT.com 198.XXX.XXX.138 - - [28/Dec/2014:23:33:54 -0600] "POST /xmlrpc.php HTTP/1.0" 200 435 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
www.WEBSITE-OF-CLIENT.com 198.XXX.XXX.138 - - [28/Dec/2014:23:34:19 -0600] "POST /xmlrpc.php HTTP/1.0" 200 435 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
www.WEBSITE-OF-CLIENT.com 198.XXX.XXX.138 - - [28/Dec/2014:23:34:27 -0600] "POST /xmlrpc.php HTTP/1.0" 200 435 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
www.WEBSITE-OF-CLIENT.com 198.XXX.XXX.138 - - [28/Dec/2014:23:34:25 -0600] "POST /xmlrpc.php HTTP/1.0" 200 435 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
www.WEBSITE-OF-CLIENT.com 198.XXX.XXX.138 - - [28/Dec/2014:23:34:23 -0600] "POST /xmlrpc.php HTTP/1.0" 200 435 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
www.WEBSITE-OF-CLIENT.com 198.XXX.XXX.138 - - [28/Dec/2014:23:34:27 -0600] "POST /xmlrpc.php HTTP/1.0" 200 435 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
www.WEBSITE-OF-CLIENT.com 198.XXX.XXX.138 - - [28/Dec/2014:23:34:22 -0600] "POST /xmlrpc.php HTTP/1.0" 200 435 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
www.WEBSITE-OF-CLIENT.com 198.XXX.XXX.138 - - [28/Dec/2014:23:34:24 -0600] "POST /xmlrpc.php HTTP/1.0" 200 435 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
www.WEBSITE-OF-CLIENT.com 198.XXX.XXX.138 - - [28/Dec/2014:23:34:27 -0600] "POST /xmlrpc.php HTTP/1.0" 200 435 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
www.WEBSITE-OF-CLIENT.com 198.XXX.XXX.138 - - [28/Dec/2014:23:34:27 -0600] "POST /xmlrpc.php HTTP/1.0" 200 435 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
www.WEBSITE-OF-CLIENT.com 198.XXX.XXX.138 - - [28/Dec/2014:23:34:23 -0600] "POST /xmlrpc.php HTTP/1.0" 200 435 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
www.WEBSITE-OF-CLIENT.com 198.XXX.XXX.138 - - [28/Dec/2014:23:33:54 -0600] "POST /xmlrpc.php HTTP/1.0" 200 435 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

As I said, any help what so ever with this would be awesome!
Thanks in advance.
Sean C.

4 Spice ups
2

I think the problem is with your failregex. Could you try it directly on apache’s log file using egrep ?

1 Spice up
3

I think Luciano is correct.

This piece of your regular expression matches the single character at the beginning of each line:

[1]

Is that what you want?

  1. a-zA-Z0-9. ↩︎

4

Depends on the speed of your logging. Fail2ban is just a fancy log parser and can only read the log output as fast as your webserver can write it. This is also common with /var/log/secure on CentOS in that quick scripts can usually get in 5-6 login attempts on a jail configured for 3.

2 Spice ups
5

I used to do this on my Ubuntu SSH server: fail2ban would add IPs to a list when they failed to authenticate after so many attempts (essentially putting them in “jail”). Here is the link I used way back when I configured it, and it worked very well for what I was trying to accomplish:

It suggests a separate file to store and recall permanently-banned IPs, which is read at fail2ban launch, and written to whenever an address is banned. This could also possibly be used to store bans in a database or the system-wide iptables rules.

6

Thanks I will look into this, it just seems odd to me that this (the one I have above) works for all other websites we host but this one… it’s rather annoying.