Block XML-RPC Attacks using CSF Firewall

Block XML-RPC Attacks using CSF Firewall

Block XML-RPC Attacks

Important: this method seems to be no longer working on latest CSF and CentOS versions. If you decide to proceed it’s not guarantteed that this may stop XML-RCP attacks on your server.

There is another server-side method (found at ConfigServer Forums) to block XML-RPC attacks using your server firewall. In this case, we will block this attack using a custom regex rule with the all mighty CSF Firewall

We will configure CSF to block the offending IP if exceeds the 10 POST or GET requests to the xml-rpc.php file in less than 3600 seconds..

Edit your regex.custom.pm file:

nano -w /usr/local/csf/bin/regex.custom.pm

Close to the end of the file, you will see an empty space. That is where we are going to place our new anti-xmlrpc rule (marked in red on the next screenshot)

Blocking XML-RPC attacks with Regex Rules from CSF Firewall

The rule is the following, just copy and paste:

# XMLRPC Defense, block IP if 10 requests in 3600 sec
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/xmlrpc\.php.*" /)) {
return ("You have been banned, please do not attack us",$1,"XmlrpcAttackDetected","10","80,443,21,25,22,23","1");
}

Once you add the rule, it should look like this:

Block XML-RPC Attacks
Block XML-RPC Attacks using CSF Firewall

Save the file, and edit CSF Configuration ,as you see here:

nano -w /etc/csf/csf.conf

Search for this variable: CUSTOM2_LOG and set is as you see below:

CUSTOM2_LOG = "/var/log/xmlrpcattacks"

Save the changes and create your log file:

touch /var/log/xmlrpcattacks

Now restart CSF and LFD to apply changes:

csf -r
service lfd restart

If you need to deactivate this XML-RPC block rule, just clear the rule by editing regex.custom.pm, and after that restart csf and lfd once again.

Source: Read more…



About the Author

Get your WebsiteUP today - ask us how?

Tomtechy @ Website UP

Get your WebsiteUP today – ash us how info@websiteup.co.za