Block xmlrpc.php attacks with fail2ban + iptables wordpress

One of the issues I’ve faced on this server is xmlrpc.php attacks. These are normally bots trying to exploit old bugs in xmlrpc.php within WordPress. Many legit plugins use calls to this file such as Jetpack. So blocking it isn’t really an option.

In my case, I wanted to block these attacks with iptables. So I went about creating a rule using fail2ban.

To get started, get iptables and fail2ban installed:

apt-get install fail2ban iptables

Once installed, edit the default jail file. This won’t exist on a new install

nano /etc/fail2ban/jail.local

Add the following lines (make sure the path matches your own)

[xmlrpc]
enabled = true
filter = xmlrpc
action = iptables[name=xmlrpc, port=http, protocol=tcp]
logpath = /var/log/apache2/access.log
bantime = 43600
maxretry = 2

Now edit the following file (this won’t exist)

nano /etc/fail2ban/filter.d/xmlrpc.conf

Add the following lines

[Definition]
failregex = ^<HOST> .*POST .*xmlrpc\.php.*
ignoreregex =

Restart the fail2ban service

service fail2ban restart

You can watch the log in real-time to ensure it’s blocking correctly:

tail -f /var/log/fail2ban.log

putty_2016-08-12_13-25-33

Fosshub.com compromised – Malware on popular downloads

As discovered tonight, popular download website, Fosshub, has been compromised.

Hackers have targeted popular downloads such as Audacity, WinDirStat, qBittorrent, MKVToolNix, Spybot Search&Destroy, Calibre, SMPlayer, HWiNFO, MyPhoneExplorer, IrfanView and others.

https://twitter.com/CultOfRazer/status/760668803097296897

When installing these programs from Fosshub, you will be infected with malware. This malware will re-write your MBR and you will not longer be able to boot into your operating system.

https://twitter.com/CultOfRazer/status/760752941066313728

CultOfTheRazor has claimed responsibility.