воскресенье, 27 марта 2016 г.

How to configure fail2ban to defence Wordpress xmlrpc.php from DDOS attack



Install fail2ban package:

yum install -y fail2ban
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
vi /etc/fail2ban/jail.local

add to end of file next section:
[xmlrpc]
enabled = true
filter = xmlrpc
action = iptables[name=xmlrpc, port=http, protocol=tcp]
logpath = /var/log/{nginx,apache}/access.log
bantime = 3600
maxretry = 3

Then go to filter.d directory :

 cd /etc/fail2ban/filter.d/
and create  xmlrpc.conf file with next content:


[Definition]
failregex = ^<HOST> .*POST .*xmlrpc\.php.*
ignoreregex =


restart fail2ban service:

service fail2ban restart

and see fail2ban log :

tail -f /var/log/fail2ban.log

fail2ban.jail            : INFO    Jail 'xmlrpc' uses poller
fail2ban.filter         : INFO    Set jail log file encoding to UTF-8
fail2ban.jail            : INFO    Initiated 'polling' backend
fail2ban.filter         : INFO    Added logfile = /var/log/nginx/access.log
fail2ban.filter         : INFO    Set maxRetry = 2
fail2ban.filter         : INFO    Set jail log file encoding to UTF-8
fail2ban.actions     : INFO    Set banTime = 43600
fail2ban.filter         : INFO    Set findtime = 600
fail2ban.jail            : INFO    Jail 'xmlrpc' started
fail2ban.filter         : INFO    [xmlrpc] Found 208.67.y.xx
fail2ban.filter         : INFO    [xmlrpc] Found 46.161.y.xxx

fail2ban.actions     :WARNING [xmlrpc] Ban 5.39.88.106

Комментариев нет:

Отправить комментарий