The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Preventing xlmrpc.php server-side?

Discussion in 'Security' started by Arkaic, Aug 29, 2016.

Tags:
  1. Arkaic

    Arkaic Member

    Joined:
    Jun 23, 2015
    Messages:
    22
    Likes Received:
    3
    Trophy Points:
    3
    Location:
    United Kingdom
    cPanel Access Level:
    Root Administrator
    Hi there,

    We're seeing an increase on xmlrpc.php attacks recently which are flooding and overloading the server to the point it's consuming all resources and we're unable to even login without rebooting the server first.

    Any advice on whether it's possible to block xmlrpc.php - completely - from the server side of things rather than going into each Wordpress? As there could be several hundred wordpress sites on a single server so modifying each wordpress install would not be feasible.

    Alternatively, what can be done to prevent a single script or file from consuming so much resources that it overloads the server? I thought this is what PT_USERMEM kill in CSF would do but this doesn't seem to pick it up.

    Any recommendations would be greatly appreciated.
     
  2. Dave Smith

    Dave Smith Member

    Joined:
    Mar 20, 2016
    Messages:
    13
    Likes Received:
    5
    Trophy Points:
    3
    Location:
    Lisbon
    cPanel Access Level:
    Root Administrator
    Hi Arkaic,
    You could try adding the following to your httpd.conf


    Code:
    <FilesMatch "^(xmlrpc\.php)">
    Order Deny,Allow
    Deny from all
    </FilesMatch>
     
  3. Arkaic

    Arkaic Member

    Joined:
    Jun 23, 2015
    Messages:
    22
    Likes Received:
    3
    Trophy Points:
    3
    Location:
    United Kingdom
    cPanel Access Level:
    Root Administrator
    Hi Dave,

    This looks to have done the trick, thank you.
     
  4. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,146
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hello :),

    Also you can add following mod_securoty rules on your server to prevent xmlrpc attack.

    Code:
    <FilesMatch "xmlrpc.php">
        SecRule RESPONSE_BODY "faultString" "id:19301,nolog,phase:4,\
            t:none,t:urlDecode,setvar:RESOURCE.xmlrpc_bf_counter=+1,\
            deprecatevar:RESOURCE.xmlrpc_bf_counter=1/300,pass"
    
        SecRule STREAM_INPUT_BODY "<methodCall>wp\." "id:19302,log,chain,\
            deny,status:406,phase:4,t:none,t:urlDecode,\
            msg:'Temporary block due to multiple XML-RPC method call failures'"
    
        SecRule RESOURCE:xmlrpc_bf_counter "@gt 4" "t:none,t:urlDecode,\
            t:removeWhitespace"
    </FilesMatch>
     
  5. Dave Smith

    Dave Smith Member

    Joined:
    Mar 20, 2016
    Messages:
    13
    Likes Received:
    5
    Trophy Points:
    3
    Location:
    Lisbon
    cPanel Access Level:
    Root Administrator
    No problem. Happy it helped.
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    672
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  7. linux4me2

    linux4me2 Well-Known Member

    Joined:
    Aug 21, 2015
    Messages:
    83
    Likes Received:
    15
    Trophy Points:
    8
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    We were having an issue with this as well, though not to the degree you describe. It sounds like you've resolved it, but I thought I'd pass along a couple of other options.

    One is to add the Comodo WAF rules as a vendor in ModSecurity. It includes an XMLRPC rule, though it wasn't preventing all the attacks we were experiencing.

    The other thing that seems to work very well is to add the following to an individual site's .htaccess:
    Code:
    <IfModule mod_rewrite.c>
        # Null route XMLRPC to disable it.
        RewriteRule ^xmlrpc.php$ "http://0.0.0.0/" [R=301,L]
    </IfModule>
    I haven't tried adding it globally, because I wanted to leave the option open for some sites to use the WordPress functions that require it, but you could probably add the above via Service Configuration -> Apache Configuration -> Include Editor -> Pre VirtualHost Include -> All Versions and have it work globally.
     
  8. dazeck

    dazeck Well-Known Member

    Joined:
    Jul 19, 2014
    Messages:
    57
    Likes Received:
    9
    Trophy Points:
    8
    Location:
    England
    cPanel Access Level:
    Root Administrator
    I'm still a bit new to this, but doesn't httpd.conf get rebuilt and this change would be removed.

    Is it best to add to pre_main_global.conf or pre_virtualhost_global.conf or post_virtualhost_global.conf ?

    Regards
    Darren
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    672
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Yes, you must add custom entries to those files or through the WHM options referenced in the post before yours to ensure modifications are preserved.

    Thank you.
     
Loading...

Share This Page