server crash due to ddos attack xmlrpc.php

Operating System & Version
CentOS v7.9.2009 STANDARD standard
cPanel & WHM Version
106.0.7

Gabriel Esteban

Registered
Dec 13, 2021
1
0
1
Madrid
cPanel Access Level
Root Administrator
Hello, I have a problem with a DDOS attack carried out on the xmlrpc.hph files of my host.
We have detected that the host has a high CPU consumption, checking the load indicates that there are many processes of the type: /opt/cpanel/ea-php74/root/usr/bin/php-cgi /home/DOMAIN.LTD/public_html /index.php
and in the apache status it indicates many requests of the type:
http/1.1 subdomain.domain.ltd:443 POST /xmlrpc.php HTTP/1.1

This happens to me if I have port 80 open, since if I only leave port 443 open, the server consumes little cpu or an acceptable pcu again.

We have assumed that it is a security problem in the wordpress xmlrpc.php file and we have taken the following measures:

in apache in the configuration directory we have created a configuration file to prevent the loading of the file if requested
inside /etc/apache2/conf.d I have created the file xmlrpc.conf with the following code:
<files xmlrpc.php>
Require all denied
</files>
I have also created my own configuration according to cpanel instructions:
We have also put in wordpress the necessary measures for blocking in htaccess.

Even so, as soon as I open port 80, Apache starts to increase consumption and blocks the server.
Let's see if someone can give me a hint to improve security.
 

Attachments

Last edited by a moderator:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
12,499
1,971
363
cPanel Access Level
Root Administrator
Hey there! If the DDoS is that large that it is taking the server offline, it would be best to reach out to your hosting provider to see if there is anything they can offer to handle this outside of your machine. Anything you do on the server side will still mean that your system needs to handle all that traffic, so it will still be slower than necessary.

You could try using a tool like mod_evasive:


but it sounds like these attacks are already more than that will handle.