I have a rule for blocking excessive calls to wordpress xml-rpc:
Filter:
failregex = ^<HOST> .*POST .*xmlrpc\.php.*
ignoreregex =
Jail:
enabled = true
port = http,https
filter = php-xmlrpc
logpath = /var/log/httpd/access_log
maxretry = 6
bantime = 3600
action = iptables[name=PHP_XMLRPC, port=http, protocol=tcp]
This seems to be working because I got the following iptables rule during a recent xml-rpc spamming attack:
Chain INPUT (policy ACCEPT)
target prot opt source destination
MANUAL_BANS all -- 0.0.0.0/0 0.0.0.0/0
fail2ban-PHP_XMLRPC tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
Chain MANUAL_BANS (1 references)
target prot opt source destination
DROP tcp -- 221.194.47.0/24 0.0.0.0/0
DROP tcp -- 121.18.238.0/24 0.0.0.0/0
DROP tcp -- 221.194.44.0/24 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-PHP_XMLRPC (1 references)
target prot opt source destination
REJECT all -- 191.96.249.54 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 191.96.249.53 0.0.0.0/0 reject-with icmp-port-unreachable
RETURN all -- 0.0.0.0/0 0.0.0.0/0
BUT... somehow my apache server continued to see requests:
191.96.249.53 - - [14/Mar/2017:11:51:07 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.53 - - [14/Mar/2017:11:51:04 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.53 - - [14/Mar/2017:11:51:16 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.53 - - [14/Mar/2017:11:51:15 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:13 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:21 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:18 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:26 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:32 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:25 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:25 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:35 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:36 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:42 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:33 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:43 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:43 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:44 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [14/Mar/2017:11:51:45 +0000] "POST /xmlrpc.php HTTP/1.0" 200 372 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
The online manual for fail2ban says bantime is in seconds, but the above looks like they actually implemented milliseconds (i.e. 3.6 seconds, not 60 minutes)? Have I missed something? How else could httpd still see requests?
I am using
Name : fail2ban
Arch : noarch
Version : 0.8.10
Release : 3.6.amzn1
