Well not long ago DH contacted me with this dreaded message:<\/p>\n
Hello,<\/p>\n
I’m writing you about your domain:<\/p>\n
foo.bar<\/p>\n
Specifically the file:<\/p>\n
xmlrpc.php<\/p>\n
This file is used for modifying your wordpress install from 3rd party\u00a0programs, like mobile site designers, desktop client programs, and pretty\u00a0much anything besides the wordpress control panel under wp-admin.\u00a0 Bots\u00a0and hackers have been increasingly attacking these files listed above to\u00a0try to either brute force into the wordpress installs, or cause other\u00a0downtime and server issues.\u00a0 Our security team is working on blocks and\u00a0protections to prevent these, but in the meantime this is causing server\u00a0issues and downtime for your site, so our oncall admin has had to disable\u00a0the file by changing permissions to 200 so it isn’t accessible.\u00a0 If you\u00a0don’t use external programs to modify this blog, you likely won’t even\u00a0notice any chance in behavior and it can remain.\u00a0 If you do make use of\u00a0this file, when you next need to use it it can be re-enabled by chmod.\u00a0If you have further questions please let us know.<\/p><\/blockquote>\n
This was on august 3\u2026 I suppose we where part of a severe DDOS that were targeting third party sites\u2026 BTW this was fixed with mod_rewrite hack on .htaccess [1].<\/p>\n
Two weeks ago we got report for another site I run, this time on a bigger VPS, that we where participating on an ongoing DDOS [2] that we also caught as our machine resources were drawn terribly.<\/p>\n
Yesterday we got visits again, of course we were aware of the problem and originally chmoded 000 the file, dropped via iptables 3 subnets that where hammering it and all was good, but as you can read on several places disabling this file breaks several functions of WordPress [3].<\/p>\n
So as we use nginx as front end, begin to investigate if like on apache or lighty could exist something like mod_evasive and indeed exists [2] it\u2019s called \u00a0mod_http_limit_req_module so after reading the documentation, I searched for examples and find a very good one that inspired this setup [4] so we ended with the next changes on nginx.conf:<\/p>\n
# Prevent DDOS
\nlimit_req_zone $binary_remote_addr zone=one:10m rate=1r\/m;<\/code><\/p>\nSo we are limiting request to 1 request for minute, but as you could imagine we don\u2019t want this for all the site, so next on the site conf we added<\/p>\n
location = \/xmlrpc.php
\n{
\nlimit_req zone=one burst=5;
\n}<\/code><\/p>\nSo we had 1 connection for minute on this file and a burst of five, but as this guys where hammering at more than one connection per second, well I suspect going to get a lot of 503 messages, I only expect that normal sites and ourselves not need this file more than one time for minute\u2026 on the bright side CPU, IO, and other resources are normal now, BTW some better advice if you don’t manage a server but had only access to .htaccess can be found here [1]<\/p>\n
Update: 26\/10\/2014 We ended having to tweak the limiting as WordPress itself uses to connect to the file so we ended limiting ourselves the fix was to change on the first one to limit to \u00a0six request per second instead of minute:<\/p>\n
# Prevent DDOS
\nlimit_req_zone $binary_remote_addr zone=one:10m rate=6r\/s;<\/code><\/p>\nAnd on site config to change for:<\/p>\n
location = \/xmlrpc.php
\n{
\nlimit_req zone=one burst=7 nodelay;
\n}<\/code><\/p>\nAs the docs says if you want no delay you had to add and also thinking that most modern browsers make up to 16 simultaneous connections [6] we upped the number but we don’t expect to have 16 request per second to this file.<\/p>\n
[1]https:\/\/wordpress.org\/support\/topic\/resolving-xmlrpcphp-ddos-attack-with-htaccess-redirect
\n[2]\u00a0http:\/\/blog.sucuri.net\/2014\/03\/more-than-162000-wordpress-sites-used-for-distributed-denial-of-service-attack.html
\n<\/a>[3]\u00a0<\/span>https:\/\/wordpress.org\/support\/topic\/xmlrpcphp-attack-on-wordpress-38
\n<\/a>[4]\u00a0<\/span>http:\/\/nginx.org\/en\/docs\/http\/ngx_http_limit_req_module.html
\n<\/a>[5]\u00a0https:\/\/cowthink.org\/flood-dos-protection-with-limit-req-in-nginx\/
\n<\/a>[<\/a>6]\u00a0<\/span>http:\/\/kb.mozillazine.org\/Network.http.max-connections-per-server<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"Well not long ago DH contacted me with this dreaded message: Hello, I’m writing you about your domain: foo.bar Specifically the file: xmlrpc.php This file is used for modifying your wordpress install from 3rd party\u00a0programs, like mobile site designers, desktop … Sigue leyendo