User Tools

Site Tools


fail2ban-xmlrpc

The following guide will show how to use fail2ban to block xmlrpc attacks.

We need to set up rules/regex that the jail will follow, this will look for log file entries depending on what we specify:
Create a file called: /etc/fail2ban/filter.d/xmlrpc.conf

[INCLUDES]

before = common.conf

[Definition]

failregex = ^<HOST> .*POST .*xmlrpc\.php.*
ignoreregex =
The regex above will look for POST requests to the xmlrpc file.
Now add the following configuration to your /etc/fail2ban/jail.conf file
[xmlrpc]
enabled  = true
port     = http,https
filter   = xmlrpc # name of the filter found in /etc/fail2ban/filter.d/
banaction = iptables-allports # block the ip address on all ports
logpath  =  %(nginx_access_log)s # what logs files should it read to find xmlrpc? You can specify a more accurate file if you only have 1 site that has this. 
maxretry = 5 # 5 instances matching the regex can be found before banning
findtime = 3600 # POST request found during a specific time period
bantime  = 7200 # how long IP will be banned for

fail2ban-xmlrpc.txt · Last modified: 2024/05/23 07:26 by 127.0.0.1

Except where otherwise noted, content on this wiki is licensed under the following license: Public Domain
Public Domain Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki