One of the issues I’ve faced on this server is xmlrpc.php attacks. These are normally bots trying to exploit old bugs in xmlrpc.php within WordPress. Many legit plugins use calls to this file such as Jetpack. So blocking it isn’t really an option.
In my case, I wanted to block these attacks with iptables. So I went about creating a rule using fail2ban.
To get started, get iptables and fail2ban installed:
apt-get install fail2ban iptables
Once installed, edit the default jail file. This won’t exist on a new install
Add the following lines (make sure the path matches your own)
[xmlrpc] enabled = true filter = xmlrpc action = iptables[name=xmlrpc, port=http, protocol=tcp] logpath = /var/log/apache2/access.log bantime = 43600 maxretry = 2
Now edit the following file (this won’t exist)
Add the following lines
[Definition] failregex = ^<HOST> .*POST .*xmlrpc\.php.* ignoreregex =
Restart the fail2ban service
service fail2ban restart
You can watch the log in real-time to ensure it’s blocking correctly:
tail -f /var/log/fail2ban.log