Install fail2ban package:
yum install -y fail2ban
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
vi /etc/fail2ban/jail.local
add to end of file next section:
[xmlrpc]
enabled = true
filter = xmlrpc
action = iptables[name=xmlrpc, port=http, protocol=tcp]
logpath = /var/log/{nginx,apache}/access.log
bantime = 3600
maxretry = 3
Then go to filter.d directory :
cd /etc/fail2ban/filter.d/
and create xmlrpc.conf file with next content:
[Definition]
failregex = ^<HOST> .*POST .*xmlrpc\.php.*
ignoreregex =
restart fail2ban service:
service fail2ban restart
and see fail2ban log :
tail -f /var/log/fail2ban.log
fail2ban.jail : INFO Jail 'xmlrpc' uses poller
fail2ban.filter : INFO Set jail log file encoding to UTF-8
fail2ban.jail : INFO Initiated 'polling' backend
fail2ban.filter : INFO Added logfile = /var/log/nginx/access.log
fail2ban.filter : INFO Set maxRetry = 2
fail2ban.filter : INFO Set jail log file encoding to UTF-8
fail2ban.actions : INFO Set banTime = 43600
fail2ban.filter : INFO Set findtime = 600
fail2ban.jail : INFO Jail 'xmlrpc' started
fail2ban.filter : INFO [xmlrpc] Found 208.67.y.xx
fail2ban.filter : INFO [xmlrpc] Found 46.161.y.xxx
fail2ban.actions :WARNING [xmlrpc] Ban 5.39.88.106
